Static IP for VPN clients - DUO, Radius, ASA, & MS AD


#1

Hello,

Currently using DUO with Radius and it is working fine.

However, I would like to assign some users a static IP address so we can limit their access to servers and ports.

We are using DUO, Radius, Cisco ASA, and Microsoft Active Directory.

What is the best way to achieve this goal?


#2

We’re not necessarily ASA experts so you may want to check with Cisco for more information about static IPs for clients. I did some searching and found some helpful article (linked at the end of this post). Based on these suggestions it looks like you can use the RADIUS IETF-Radius-Framed-IP-Address along with the AD msRADIUSFramedIPAddress attribute to do this.

For this to be successful you probably need to use RADIUS as your upstream authenticator. I’m guessing your radius_server_auto Duo config is using ad_client pointing to your DCs. This won’t pass additional attributes from AD/LDAP as RADIUS attributes, so you’d probably have to switch to radius_client and point that to a RADIUS server (like MS NPS) that in turn points to your DCs for primary auth, and then also set the pass_through_attr_names or pass_through_all options to true for both the RADIUS server and RADIUS client in the Duo proxy config, in order to pass that framed IP addr attribute value all the way from AD to the ASA.

One of the links below describes passing this info from AD as a mapped LDAP attribute. if you want to go this route you’d need to change your Duo proxy config from ad_client to duo_only_client and change your radius_server_auto section to use duo_only_client instead of ad_client. You’d also need to update your ASA config so that it uses LDAP directly to your AD DCs for primary auth, and then Duo for secondary auth.

References:

https://communities.cisco.com/thread/79759