09-22-2011 05:41 AM - edited 02-21-2020 05:36 PM
Hi.
We have the situation, that we built a AnyConnect RAS solution for a lot of users which are stored on LDAP or RADIUS - we can choose what we like.
Now we have to problem, that some of the users (round about 1.000) needs the same static ip address out of a pool all the time, so they can pass firewalls behind the RAS connection.
I haven't fould a possibility to add a static IP via DAP by LDAP or RADIUS Attributes and Values.
Does anybody know a solution, how we can assign a static ip to our RAS users? Any Experience?
Solved! Go to Solution.
09-26-2011 05:08 AM
Hi Marco,
on the Radius server, configure the Framed-IP-address (IETF attribute 8) for each user, with the desired ip address as value.
hth
Herbert
09-26-2011 05:08 AM
Hi Marco,
on the Radius server, configure the Framed-IP-address (IETF attribute 8) for each user, with the desired ip address as value.
hth
Herbert
09-26-2011 06:17 AM
Herbert or others.
Is there any way to have the ASA Authenticate against an RSA Authentication manager but retrieve an IP address from an Radius (perhaps ACS) or LDAP source?
I am aware that I could 'chain' the Radius request through the ACS and provide the IP address in this manner, but I think I would then lose the advantages of the SDI integration between the ASA and the RSA server.
SO my question i presume is... is it possible to provide the IP address as part of an 'authorsation' rather then an 'authentication' request/response.
09-26-2011 06:32 AM
yes, you can use SDI authentication and Radius or LDAP authorization.
However for Radius it's a bit tricky, because the Radius protocol only supports authentication and accounting, not authorization. Or rather, the authentication and authorization are done in 1 go. Hence, to do authorizatio the ASA needs to send an Access-Request, which needs to include the user's password. Obviously this would not work because the password is an OTP (or in a similar case, when using certificate authentication and Radius authorization, there is no password at all).
The solution the ASA developers have implemented to overcome this, is to always send a fixed password in the Access-Request. This password is the same as the username by default, or you can configure it to be a certain string of your choice (but then it is the same for all users).
Hence, this solution will only work if you can configure your Radius server accordingly.
Alternatively, LDAP authorization does not have this limitation since we can do an LDAP query without providing the user's password. You'll just need an LDAP attribute map to map LDAP attributes/values to ASA attributes/values.
hth
Herbert
09-26-2011 06:42 AM
Excellent pointers, thanks.
If we use ACS to store the IP addresses then we should be able to set the password to the same as the username with no issue.
If we decide to use LDAP then as you say it should be straightforward enough.
I'll look into the usernam/fixed password method you describe, thanks for the hint.
10-04-2011 06:44 AM
We tried it out - Framed-IP-address was correct and is working fine.
Now we're searching for a possibility to assign a Group Policy by an Attribute. ACS has those feature but how to built that with FreeRadius? Maybe somebody knows that too.
Thank's a lot to everybody.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide