Anyone used the “Dial-up” in AD to assign a static IP to a user? Apparently, this can be done with cisco ISE with modifications. Link below.
I don’t have ISE, have NPS. So looking to see if anyone used NPS (in place of ISE) to assign static ip to anyconnect user?
ASA AnyConnect VPN with Static Client IP Address – integrating IT (wordpress.com)
Doesn’t matter what RADIUS server do u use.
There’s a dictionary of VSAs for Cisco VPN (Cisco VPN 3000/ASA/PIX) but to assign a specific IP, you need to use an attribute called Framed-IP-Address which is a basic RADIUS attribute agnostic of vendor.
You will pass this attribute with a value equal to the IP you want to assign to the client as a result of authorization policy
FYI - The more modern approach is to not care about what IP the users have just let them pick up an IP from DHCP. We will identify them by user and create firewall rules based on their AD group etc. You need to have a firewall that is connected to your AD. It also doesn’t work perfectly as all vendors user ID detection are just reading from a log file on the AD DC’s. It can be a little behind reality. There are some issues when users RDP to other servers the identity can get messed up. Also with multiple users logging into an RDS server you need to set a single policy for that server as identity will be changing all the time.
Since you asked I’ve only done it with LDAP auth. I have come across this before and can give you some clues. You need to config the static IP the dial in tab in AD.
You will need to setup two group policies.
NoAccess - Basically a blank policy disable DHCP etc on this. Google will tell you how to create this. Basically if they don’t have an IP in AD we give them the NoAccess policy and they can’t connect/get an IP.
GP-AC - The real policy, don’t need any DHCP here either as we will read the IP for the user from from AD. You will need to fill in your other settings like DNS server etc.
Make your ldap map point to the AD group where the AC users are located in AD. The Framed-IP is the thing we want to read from AD and give that IP to the user. Then assign the correct anyconnect group policy GP-AC:
ldap attribute-map LDAP-MAP
map-name memberOf Group-Policy
map-value memberOf “CN=AC-USERS,OU=Groups,DC=WORK,DC=LOCAL” GP-AC
map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
map-value msRADIUSFramedIPAddress msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
Setup your aaa LDAP connection and attached the LDAP-MAP we created above
aaa-server AAA-LDAP protocol ldap
aaa-server AAA-LDAP (INSIDE) host 192.168.0.100
ldap-base-dn DC=WORK,DC=LOCAL
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ThePWGoesHere
ldap-login-dn CN=ASA-USER,OU=Service Users,OU=Users,DC=WORK,DC=LOCAL
server-type microsoft
ldap-attribute-map LDAP-MAP
I’m sure this is possible with radius as well but I’ve never done that. That should give you some clues to start googling. You can setup a separate AnyConnect test profile to work on it don’t mess around with your production anyconnect. Good luck.
Understood. the article uses ISE which needs modification to pass the framed-ip-address to the ASA. There was also more config needed with cisco ACS for it to work also.
My question is, will it just work “out of the box” with Microsoft network policy server?
I would hope the nps and its tight integration into AD will pull the static IP defined under “dial-up”.
Thanks
It’s something a stupid govt agency wants, need I say more. 
Thanks for your detailed reply!
I actually never used the method described in the article you quoted. I have never touched the Dial-in tab in AD. If I needed to set a static IP for Anyconnect user, I’d just pass the Framed-IP-Address attribute with the IP address as a value directly from RADIUS (ISE).
Not sure what is the benefit there. I would always create an authorization policy for that user matching his username and having assigned the authorization profile which contains the IP such as: “Framed-IP-Address = 192.168.0.1”
That’s perfectly doable on any NPS.