Greetings to the Community
I am trying to figure out a clean solution for the following scenario. I have my PIX 515E (8.0(4)24) configured for VPN access. In the VPN configuration, I am using an RA tunnel group configured to use Windows 2003 IAS to authenticate users against active directory based on group membership and using a local IP pool for address assignment. This all works fine. I got a request from a single user to have a static IP assigned from the pool. I read that one way you can do this is to get into the user properties in Active Directory for the user and in the dial-in tab tick the box for 'Assign a static IP address' to have it give the particular user a static address for VPN, but it does not work. What I would like the PIX to do is assign addresses from the local pool unless there is an address assignment configuration in RADIUS. Basically does the PIX honor the IP assigned via RADIUS even if the tunnel group is configured for a local IP pool or do I need to configure the tunnel group to use AAA address assingment for the AD dial-in config to work at all? Does anyone know if the PIX functions this way? I configured the user in AD for this but it does not work. I also have the no vpn-addr-assign aaa command enabled in there which might be the whole issue. I will try to change this in the next window and see if it flies then. Just wanted to see if the PIX works this way or if I am way off here. Thanks in advance.
Yes, you can do this. You need to configure an att-mapping as well for this to work. Please check the following document:
*You do need both the vpn-addr-assign aaa and vpn-addr-assign local
Thanks for the reply. I tried to access this link but I can't with my login. I guess I don't have the correct perms to see it which is odd. Do you have another link I can try. I am not sure what you mean by 'att-mapping' . Can you elaborate some? Thanks again for the reply.
Thanks for the reply here. I can see the document now. Can you tell me would the LDAP attribute-map be valid here if I am using RADIUS auth (not using LDAP directly, just the IAS RADIUS server in windows)? Or would I just need to enable IP AAA command for this to work? Thanks again for the help.
OK I was able to get this going last night. The key was just to add the vpn-addr-assign aaa command. Then it worked great. The only thing thats missing now is that its not setting the net mask correctly. The mask is part of the local pool config and I am not sure in IAS how I can set it. Perhaps a RADIUS attribute of some sort. One issue I did not mention is that I am using OSPF on this PIX and its redistributing the /32 routes for the VPN IP assignments throughout my network so that VPN hosts can get around. This still works correctly even when assigning the address via AAA. So the bottom line is that the tunnel group assigns the address for local if configured with a local pool but can be overridden by setting an IP in the user properties in Active Directory. For those who care in the future about doing this, here is the relevant config I have that makes it work:
tunnel-group ras type remote-access
tunnel-group ras general-attributes
authentication-server-group RADIUS LOCAL
tunnel-group ras ipsec-attributes
group-policy colo-ras internal
group-policy colo-ras attributes
split-tunnel-network-list value colo-ras-split-tunnel
default-domain value altn.int
ip local pool colo-ras 10.20.90.129-10.20.90.157 mask 255.255.255.224
Thanks for the help.