Re: Cisco VPN with Radius - Controlling GP or ip pool

Christopher Rosing · ‎12-13-2012

I have an ASA5510 using Anyconnect going back to a Radius Server. I would like to control who gets what IP address based using RADIUS as I am using it for 802.1x for wired switches and Wireless APs.

Preference one would be for the computer to send the computer name so it matches the 802.1x machine authentication, but I don't think that is possible.

So for the second preference, I have 3 Group Policies set up. Business, SoftSupport, and Ops Support. I have a different address pool tied to each GP. I would like to have the username looked up in Network Policy then come back and grant or deny permission if they are not in a specefic Windows Security Group.

When I looked at the connection info in the NPS server, I didn't see any kind of attribute I could use such as calling station ID.

group-policy WebVPN-Business internal

group-policy WebVPN-Business attributes

dns-server value 10.43.1.4

dhcp-network-scope 10.43.1.254

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_TEST_splitTunnelAcl

default-domain value internal.int

address-pools value DHCP_Business

group-policy WebVPN-OpsSupport internal

group-policy WebVPN-OpsSupport attributes

dns-server value 10.43.1.4

dhcp-network-scope 10.43.1.254

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_TEST_splitTunnelAcl

default-domain value internal.int

address-pools value DHCP_OpsSupport

group-policy WebVPN-SoftSupport internal

group-policy WebVPN-SoftSupport attributes

dns-server value 10.43.1.4

dhcp-network-scope 10.43.1.254

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_TEST_splitTunnelAcl

default-domain value internal.int

address-pools value DHCP_SoftSupport

paulstone80 · ‎12-18-2012

Hi Christopher,

As far as I'm aware, you can't assign an IP address to a VPN connection using RADIUS attributes.

However, you can assign an IP to the user object in Active Directory which will be passed to the client after RADIUS authentication.

Two ways to do this:

1. In AD go to the 'Dial-In' tab and there is an option to 'Assign Static IP Address'. Enter the IP address as required.

2. If you don't have the 'Dial-In' tab (you have to add the dlls in W2K8) then you can assign it using the 'msRADIUSFramedIPAddress' attribute. The IP must be converted from decimal, to binary, and then to an integer for the attribute to recognise it.

You might be able to get RADIUS to pass the msRADIUSFramedIPAddress to the client, but I'm not sure how at the moment.

HTH

Paul

HTH Paul ****Please rate useful posts****

paulstone80 · ‎12-18-2012

I just noticed your paragraph about the second preference! This can be done using NPS.

You need to create a Network Policy on the NPS server for each AnyConnect Group Policy. In the Network Policy, you need to add a Standard RADIUS attribute with the following settings:

Attribute name: Class

Attribute number: 25

Enter the attribute value in: String

Value: OU=name_of_group_policy

For example, if you have an AnyConnect Group Policy called Business, create a Network Policy and add the Class Standard RADIUS attribute. Give the Class attribute a value of OU=Business. In the Network Policy Conditions, add a Windows Groups condition, where the value is a Windows Group that contains the relevant Business users. Set the Network Policy to allow access.

Repeat for each Group Policy.

HTH,

Paul

HTH Paul ****Please rate useful posts****