Bruno,
OK I was able to validate my line of thought and yes you can edit the "dynamic user" in ACS and assign him a static IP address. The caveat is that you will need a "VPN Pool" to initially assign to the remote access user otherwise they will not be able to login to the VPN. Because for remote access VPN to be successful you have to assign that user an IP address. Otherwise just know that they will fail when they connect the first time, however the "dynamic user" account is still created in ACS because technically they authenticated successfully to the AD domain. Then you can edit the user account and statically assign the IP address. James From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Matusiak Sent: Thursday, January 31, 2013 10:34 AM To: Bruno Silva Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Fixing ip to Dynamic user Bruno, Why don't you setup LDAP authentication on ASA instead of RADIUS? Then you can use almost any attribute from AD. I've never tried this with IP address but I think it may work. example: ldap attribute-map MAP map-name Some-AD-Attrib IETF-Radius-Framed-IP-Address and so on... Regards, Piotr On 1/31/13 5:37 PM, Bruno Silva wrote: Well, I cannot use local database authentication and that's where I'm stucked at. It's not practical to have all the users from the Domain created manually in the ACS so this is not something I can do. I was wondering if it's possible to user any Radius AV-Pair in order to extract the ip address information from the Active-directory server somehow but I have never seen it. Does anyone have an idea? 2013/1/31 Adil Pasha <[email protected]> Guys, This is a pretty cool topic. Just wondering is this part of v4? Still trying to grasp v4 topics. Best Regards. ______________________ Adil On Jan 31, 2013, at 9:42 AM, Kevin Sheahan <[email protected]> wrote: Hi Bruno, Are you able to authenticate via local database? If so, you can use user attributes to assign the ip address on RA-VPN. username <userid> attributes vpn-framed-ip-address <ip address> <subnet mask> Hope I was helpful. -Kevin Sheahan On Thu, Jan 31, 2013 at 6:58 AM, Bruno Silva <[email protected]> wrote: Hi guys, I hoppe you all can help me to find out a thing that's been a pain here. I'm using dinamic user mapping from active-directory to ACS and there are some specific users that must have a static ip address assigned to their profile after connecting to the VPN, ok, we can do that on ACS staticly after the user connect to the VPN because the username mapping is made and then we assign a static ip address to it but this is been a pain because ever since we have to do any change to the ACS server, the dynamic mapping is gone and then we have to rebuild this manually. I was wondering if there's anyway of doing a static ip assignment to a dynamic user mapping. First I though on doing this with radius but I could not find any option that allow me to do it so...Can anyone help me with that? thank you very much! -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.platinumplacement.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _____ No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2639/6070 - Release Date: 01/31/13
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
