We’re not necessarily ASA experts so you may want to check with Cisco for more information about static IPs for clients. I did some searching and found some helpful article (linked at the end of this post). Based on these suggestions it looks like you can use the RADIUS
IETF-Radius-Framed-IP-Address along with the AD
msRADIUSFramedIPAddress attribute to do this.
For this to be successful you probably need to use RADIUS as your upstream authenticator. I’m guessing your
radius_server_auto Duo config is using
ad_client pointing to your DCs. This won’t pass additional attributes from AD/LDAP as RADIUS attributes, so you’d probably have to switch to
radius_client and point that to a RADIUS server (like MS NPS) that in turn points to your DCs for primary auth, and then also set the
pass_through_all options to true for both the RADIUS server and RADIUS client in the Duo proxy config, in order to pass that framed IP addr attribute value all the way from AD to the ASA.
One of the links below describes passing this info from AD as a mapped LDAP attribute. if you want to go this route you’d need to change your Duo proxy config from
duo_only_client and change your
radius_server_auto section to use
duo_only_client instead of
ad_client. You’d also need to update your ASA config so that it uses LDAP directly to your AD DCs for primary auth, and then Duo for secondary auth.