Assigning Static IPs to VPN clients using AnyConnect w/Windows RADIUS

isaacappleman · ‎05-24-2012

Hello!

This might be somewhat esoteric, I can't seem to find any info on it, but if I missed a post or document somewhere, please by all means hook me up with a link!

We currently use Cisco ACS for Windows and a VPN Concentrator for our VPN solution. ACS allows us to assign static local IPs to incoming clients based on their login profile. This is great because it allows us IT folk (and some engineers) to keep our static IPs so that the firewalls allow us proper access to production, etc. when we VPN in.

My question/problem is 2-fold, but related.

1) How do we duplicate that sort of thing with Cisco ASA's using SSL? I managed to get WebVPN setup with AnyConnect and I can connect remotely and login with my ACS username/password (although the only way I can test is to RDP into our Geneva location and you can't run AnyConnect while VPN'd, but at least I get through the login and client install, which is promising). I can't seem to find any way to specific a static IP for specific logins.

2) We'd like to ditch the Cisco ACS and move to using our internal Windows Active Directory for a single-sign-on solution. Will I still be able to use the static IP assignment from question 1 if we do this? And... how *do* you do this? I designed the internal DC as a RADIUS server and thought it was configured right, but it still uses my ACS info when I try to VPN in.

Thank you ahead of time!

Isaac

Jennifer Halim · ‎05-24-2012

1) On the ASA, you can change the address assignment from local pool, to AAA assign.

Command: vpn-addr-assign aaa:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1644603

I assume that you already know how to configure the ACS server since you've already used the same for your VPN Concentrator.

2) Same as above, since you are using the same radius protocol, all need is to enable address assignment AAA for VPN.

Hope that answers your questions.

isaacappleman · ‎05-29-2012

Hi Jennifer,

Thank you for your reply. I did find that vpn-addr-assign aaa was set for "no". I've looked through the ASDM and those instructions in that link, I must be missing something, how do I tell it where the RADIUS server is? It's currently using TACACS and pointing to the ACS server.

Do I have to keep the ACS? We're trying to ditch it, and point the firewall directly at the Windows domain controller. Is it necessary to have the ACS setup as a go-between? I'd prefer to point directly from the ASA to the Windows AD if possible.

This might help, this is chunks of the config that I thought might be relevant (there are 3 Site VPNs setup and the standard user VPN):

If possible, I'd like to keep the old, original Cisco client-based VPN up while activating the AnyConnect/WebVPN VPN.

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host X.X.X.14

key *****

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

crypto ipsec transform-set A esp-3des esp-md5-hmac

crypto ipsec transform-set B esp-3des esp-sha-hmac

crypto ipsec transform-set C esp-des esp-md5-hmac

crypto ipsec transform-set ClientlessVPN esp-3des esp-md5-hmac

crypto ipsec transform-set ClientlessVPN mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map hood 1 match address 101

crypto map hood 1 set peer A.A.A.4

crypto map hood 1 set transform-set snowyway

crypto map hood 2 match address 104

crypto map hood 2 set peer B.B.B.67

crypto map hood 2 set transform-set waltham

crypto map hood 3 match address 105

crypto map hood 3 set peer C.C.C.66

crypto map hood 3 set transform-set waltham

crypto map hood interface outside

crypto ca trustpoint L-TP

enrollment self

crl configure

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 1000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

~

webvpn

enable outside

svc image disk0:/anyconnect-win-3.0.07059-k9.pkg 1

svc profiles WebVPN disk0:/webvpn.xml

svc enable

tunnel-group-list enable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

dns-server value X.X.X.6 X.X.X.11

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value phtcorp.com

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc profiles value WebVPN type user

svc ask enable default svc timeout 10

always-on-vpn profile-setting

~

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN

authentication-server-group TACACS+

default-group-policy GroupPolicy1

tunnel-group DefaultWEBVPNGroup webvpn-attributes

nbns-server X.X.X.11 master timeout 2 retry 2

Jennifer Halim · ‎05-29-2012

Here is a sample configuration to use ACS radius as authentication:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

If you point directly to AD, you can only perform authentication, I dont' believe that you can assign IP Address directly using LDAP as protocol which AD uses. However, you can enabled IAS service on your AD which run on Radius protocol and it can be used to assign IP address.