Configure Static IP Address Assignment for Secure Client VPN Users

Available Languages

Download Options

  • PDF     (523.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (619.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (424.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 1, 2024
Document ID:222436

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to assign static IP addresses to Remote Access VPN users by using an LDAP attribute map.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Active Directory (AD)
    • Lightweight Directory Access Protocol (LDAP)
    • Cisco Secure Firewall Threat Defense
    • Cisco Secure Firewall Management Center

    Components Used

    The information in this document is based on these software and hardware versions:

    • Windows Server 2022
    • FTD version 7.4.2
    • FMC version 7.4.2

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Note: The option to use a Realm for IP address assignment and to configure LDAP attribute maps is supported in firepower version 6.7 or later. Ensure that the firepower version is 6.7 or later before you proceed.

    Configure

    Step 1. Navigate to Devices > Remote Access and select the desired Remote Access VPN Policy. Select the desired Connection Profile. Under the AAA tab, select a Realm for Authentication Server and Authorization Server.

    Edit Connection Profile

    Step 2. Navigate to Devices > Remote Access and select the desired Remote Access VPN policy. Navigate to Advanced > Address Assignment Policy and ensure the option Use authorization server (Only for RADIUS or Realm) is enabled.

    Address Assignment Policy

    Step 3. Navigate to Advanced > LDAP Attribute Mapping and add a Name Map with LDAP Attribute Name set to msRADIUSFramedIPAddress and Cisco Attribute Name set to IETF-Radius-Framed-IP-Address.

    LDAP Attribute Mapping

    Step 4. On your Windows AD server, open Server Manager and navigate to Tools > Active Directory Users and Computers. Right-click on a user, select Properties > Dial-in and check the box named Assign Static IP Addresses.

    User Dial-in Properties

    Step 5. Select Static IP Addresses and assign a static IP address to the user.

    Assign Static IP Address

    Step 6. Connect to the VPN gateway and log in using the Cisco Secure Client. The user is assigned the static IP address that you configured.

    Secure Client Connection Information

    Verify

    Enable debug ldap 255 and ensure that the msRADIUSFramedIPAddress LDAP attribute is retrieved:

    [13] Session Start
    [13] New request Session, context 0x000015371bf7a628, reqType = Authentication
    [13] Fiber started
    [13] Creating LDAP context with uri=ldap://192.168.2.101:389
    [13] Connection to LDAP server: ldap://192.168.2.101:389, status = Successful
    [13] supportedLDAPVersion: value = 3
    [13] supportedLDAPVersion: value = 2
    [13] Binding as (Administrator@test.example) [Administrator@test.example]
    [13] Performing Simple authentication for Administrator@test.example to 192.168.2.101
    [13] LDAP Search:
    Base DN = [CN=Users,DC=test,DC=example]
    Filter = [sAMAccountName=jdoe]
    Scope = [SUBTREE]
    [13] User DN = [CN=John Doe,CN=Users,DC=test,DC=example]
    [13] Talking to Active Directory server 192.168.2.101
    [13] Reading password policy for jdoe, dn:CN=John Doe,CN=Users,DC=test,DC=example
    [13] Read bad password count 0
    [13] Binding as (jdoe) [CN=John Doe,CN=Users,DC=test,DC=example]
    [13] Performing Simple authentication for jdoe to 192.168.2.101
    [13] Processing LDAP response for user jdoe
    [13] Message (jdoe): 
    [13] Authentication successful for jdoe to 192.168.2.101
    [13] Retrieved User Attributes:
    [13] objectClass: value = top
    [13] objectClass: value = person
    [13] objectClass: value = organizationalPerson
    [13] objectClass: value = user
    [13] cn: value = John Doe
    [13] sn: value = Doe
    [13] givenName: value = John
    [13] distinguishedName: value = CN=John Doe,CN=Users,DC=test,DC=example
    [13] instanceType: value = 4
    [13] whenCreated: value = 20240928142334.0Z
    [13] whenChanged: value = 20240928152553.0Z
    [13] displayName: value = John Doe
    [13] uSNCreated: value = 12801
    [13] uSNChanged: value = 12826
    [13] name: value = John Doe
    [13] objectGUID: value = ......fA.f...;.,
    [13] userAccountControl: value = 66048
    [13] badPwdCount: value = 0
    [13] codePage: value = 0
    [13] countryCode: value = 0
    [13] badPasswordTime: value = 0
    [13] lastLogoff: value = 0
    [13] lastLogon: value = 0
    [13] pwdLastSet: value = 133720070153887755
    [13] primaryGroupID: value = 513
    [13] userParameters: value = m: d. 
    [13] objectSid: value = ............Q=.S....=...Q...
    [13] accountExpires: value = 9223372036854775807
    [13] logonCount: value = 0
    [13] sAMAccountName: value = jdoe
    [13] sAMAccountType: value = 805306368
    [13] userPrincipalName: value = jdoe@test.example
    [13] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=example
    [13] msRADIUSFramedIPAddress: value = -1408232375
    [13] mapped to IETF-Radius-Framed-IP-Address: value = -1408232375
    [13] msRASSavedFramedIPAddress: value = -1408232375
    [13] dSCorePropagationData: value = 16010101000000.0Z
    [13] lastLogonTimestamp: value = 133720093118057231
    [13] Fiber exit Tx=522 bytes Rx=2492 bytes, status=1
    [13] Session End

    Troubleshoot

    Debug commands:

    debug webvpn 255

    debug ldap

    Command to validate the static IP address assigned to the desired RA VPN user:

    show vpn-sessiondb anyconnect filter name <username>

    firepower# show vpn-sessiondb anyconnect filter name jdoe

    Session Type: AnyConnect

    Username : jdoe Index : 7
    Assigned IP : 172.16.20.73 Public IP : 10.0.0.10
    Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384
    Bytes Tx : 14664 Bytes Rx : 26949
    Group Policy : DfltGrpPolicy Tunnel Group : RAVPN_PROFILE
    Login Time : 11:45:48 UTC Sun Sep 29 2024
    Duration : 0h:38m:59s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A VLAN : none
    Audt Sess ID : cb0071820000700066f93dec
    Security Grp : none Tunnel Zone : 0

    Revision History

    Revision Publish Date Comments
    1.0
    01-Oct-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ashlin Leroy Dsilva
      Cisco Software Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products