James, As far as i can recall users based access is controlled via dynamic ACL with Radius it is called dynamic access policy (DAP). in DAP access is granted to user relevant ACLS are imported from Radius server into the Device & when user disconnects the session those ACLS are removed from the device.I'm using remote site VPN on ASA with windows Internet authentication server radius (IAS)+AD database but not with static IP assignment. Try configure following if it works for you else i will share the way out with you after testing on my side.
1. Create 2 groups (Group1 and Group2) 2. Create 2 pools (Pool1 and Pool2) Put “THE” user in Group1 and have Pool1 be assigned to him. Configure in such a way that Pool1 has only one ip address. Put all the other users into the second group and configure Pool2 be assigned to them with regular pool. Comes very handy. Regards Sheraz From: [email protected] To: [email protected] Date: Thu, 31 Jan 2013 10:46:13 -0700 Subject: Re: [OSL | CCIE_Security] Fixing ip to Dynamic user So I am replying based on memory alone right now but isn’t it possible to “edit” the dynamic users in ACS? So shouldn’t you be able to add a static IP address or assign the correct AV pair for that? I will try and lab this up… James From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Silva Sent: Thursday, January 31, 2013 9:37 AM To: Adil Pasha Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Fixing ip to Dynamic user Well, I cannot use local database authentication and that's where I'm stucked at. It's not practical to have all the users from the Domain created manually in the ACS so this is not something I can do. I was wondering if it's possible to user any Radius AV-Pair in order to extract the ip address information from the Active-directory server somehow but I have never seen it. Does anyone have an idea?2013/1/31 Adil Pasha <[email protected]>Guys,This is a pretty cool topic. Just wondering is this part of v4?Still trying to grasp v4 topics. Best Regards.______________________Adil On Jan 31, 2013, at 9:42 AM, Kevin Sheahan <[email protected]> wrote: Hi Bruno, Are you able to authenticate via local database? If so, you can use user attributes to assign the ip address on RA-VPN. username <userid> attributes vpn-framed-ip-address <ip address> <subnet mask> Hope I was helpful. -Kevin Sheahan On Thu, Jan 31, 2013 at 6:58 AM, Bruno Silva <[email protected]> wrote:Hi guys, I hoppe you all can help me to find out a thing that's been a pain here. I'm using dinamic user mapping from active-directory to ACS and there are some specific users that must have a static ip address assigned to their profile after connecting to the VPN, ok, we can do that on ACS staticly after the user connect to the VPN because the username mapping is made and then we assign a static ip address to it but this is been a pain because ever since we have to do any change to the ACS server, the dynamic mapping is gone and then we have to rebuild this manually. I was wondering if there's anyway of doing a static ip assignment to a dynamic user mapping. First I though on doing this with radius but I could not find any option that allow me to do it so...Can anyone help me with that? thank you very much! -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSANo virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2639/6070 - Release Date: 01/31/13 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
