Solved: Re: Assign static IP through LDAP - Page 2

francisco del cura ferreira · ‎04-23-2010

Hi all:

I wonder if it's possible to assign a VPN user a static IP. The authentication is done via LDAP and I saw, on LDAP server, there is a field where you can configure an IP address, is it possible ASA to read it and assign it to the user or it has to be configured on ASA?.

Thanks so much,

Francisco

Jennifer Halim · ‎04-26-2010

Unfortunately, LDAP server does not automatically assign the correct subnet mask to the vpn client. You would need to configure the following attribute map "IETF-Radius-Framed-IP-Netmask".

You can use common attribute, for example calling station ID (which is always going to be the ASA ip address) and assign the right subnet mask of 255.255.255.0 using the "IETF-Radius-Framed-IP-Netmask"

francisco del cura ferreira · ‎04-26-2010

...and what about ASA doesn't assign the correct IP although it reads ok the parameter on LDAP server?

Jennifer Halim · ‎04-26-2010

You should remove the following:

vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0

as you are assigning ip from aaa, you should only have "vpn-addr-assign aaa"

francisco del cura ferreira · ‎04-26-2010

Sorry but I didn't understand you. How can I know what's the attribute name on LDAP for netmask, I was searching but I didn't find it.

I don't know what's the calling station id attribute, is it the map-name?

Edit: If a remove the vpn-addr-assign local reuse-delay 0 command the tunnel doesn't work, that is, ASA doesn't assign the IP from LDAP server...

limlayhin · ‎11-29-2012

Hi Francisco,

Did you manage to get the configuration working?

I intend to do similar things as you also.

Only different is that my IP are static host IP.

Error log:

<188>:Nov 30 01:12:27 SGT: %ASA-ipaa-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

<189>:Nov 30 01:12:31 SGT: %ASA-ipaa-5-737007: IPAA: Local pool request failed for tunnel-group 'DefaultWEBVPNGroup'

<188>:Nov 30 01:12:31 SGT: %ASA-ipaa-4-737012: IPAA: Address assignment failed

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-750006: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 SA UP. Reason: New Connection Established

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: IP Compression

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: Auth on Rekey

<189>:Nov 30 01:12:31 SGT: %ASA-vpn-5-751007: Local:202.6.172.140:4500 Remote:101.101.101.101:53973 Username:user1 Configured attribute not supported for IKEv2. Attribute: NAC

User authentication was successful.

[40] Processing LDAP response for user user1

[40] Message (user1):

[40] Authentication successful for user1 to 192.168.1.11

francisco del cura ferreira · ‎12-03-2012

Hello limlayhin

Yes, it worked but I don't remember how. I hope someone could help you in this matter.

Sorry and regards