Thanks for the reply.

I can't give out certs to only specific users, that over complicates things. We already use AA and machine certs for auth now. 

But as i have read, you can't reserve anyconnect IP's in msft dhcp due to their extremely long mac address. below is a tread on that.

Re: assign dhcp pools for anyconnect based on AD group via radius - Cisco Community

Thanks

No, do not use any dhcp relay. DHCP relay is needed in case some phisical interface is connected to ethernet and you need to use vlans on ASA, so than you might need dhcp relay.

This is not rule for RA.

so I would have multiple group policies and tunne.-groups to match the pools.  

tunnel-group corpvpnusers

dhcp-server 1.1.1.1

group-policy corpvpnusers

dhcp-network-scope 192.168.200.0

Doing this would not require multiple anyconnect profile xml files on the workstation would it? guess I am missing how each tunnel group IP's are assigned to the users based on their Active Directory group. would this be done by radius?  tks

@tryingtofixit if you now want to use DHCP pools, then it is similar logic as per your other post that I responded to the other day. Use RADIUS, create the NPS policy to match on the AD group, then return the GP/dhcp scope unique to that AD group. You'd create multiple NPS policies matching on the different AD groups and returning a different value. If nothing is explicitly sent from the RADIUS server then the user would receive an IP address from the default settings (scope or pool) as configured under the tunnel-group or group-policy.

In NPS you'd have to configure the vendor specific attributes, Cisco's DHCP network scope attribute number is 61 https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/aaa-radius.html using the link I provided in the other post as a starting point - https://integratingit.wordpress.com/2022/01/30/asa-vpn-ip-pool-assignment-using-radius/ set you set the "vendor assigned attribute number" to 61 instead of 217 (in that example).

I see no reason why you'd need unique anyconnect XML profiles, you can just match on conditions on the RADIUS server.

Use authorization profiles in ISE properly with radius attribute in advanced attributes settings:
CVPN3000/ASA/PIX7x-DHCP-Network-Scope =

BTW you can still use also CVPN3000/ASA/PIX7x-Address-Pools = attribute also in case of backup for situation when your ms dhcp ha is not available.

AnyConnect profiles wouldn't be required if the users have the drop down menu selection enabled, so they can select their right tunnel group, or, if the tunnel group attribute gets returned by the RADIUS server automatically based on the matched conditions such as an AD group as already mentioned by the others.

yes, trying 100% to avoid a user having to select their tunnel group. Multiple choices for users= multiple support problems!

""Observe that, once certificate mapping is enabled, you do not need to choose tunnel-group anymore:""

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#toc-hId--824429414

MHM

Then you can configure the RADIUS server to return the tunnel group attribute, in that case the users will be transparently landing into their tunnel group without any interaction from their side. Also, the tunnel group selection in this case can be disabled.

This is wrong, in such way ASA will generate wrong dhcp relay agent ip, instead of asa ip, it will put there ip dhcp-network-scope ip.

As result you will have problems with DORA process, O and A packets will be returned by MS DHCP back tu ip defined in dhcp-network-scope.

BTW it does not mather if it defined localy in ASA or get from radius attribute from ISE CVPN3000/ASA/PIX7x-DHCP-Network-Scope = X.Y.Z.0

X.Y.Z.0 is scope in MS DHCP network range = network id with .0

Use DHCP link-selection RFC 3527, beware DHCP subnet-selection RFC 3011 is not working with MS DHCP.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

Simply said, your goal is getting your dhcp network scope to option 82, suoption 5 link selection work subnet 1.1.2.0, so RA clients will have ips like 1.1.2.1 and so on and you need in Relay agent IP address: IP your ASA facing to dhcp server (propably inside iface).

Thanks for pointing that out. Are you saying that the network scope address shouldn't be the subnet ID of the interested pool, but defined as an IP from within that subnet? For instance, if the pool we would like to get an IP from is 172.16.1.1-172.16.1.10 subnet mask 255.255.255.0, the network scope command should be configured with an IP from within that subnet rather than 0? From what I remember it would work with the subnet ID as well but I could be wrong so please keep me honest here.