Security

Reply
Contributor I
Posts: 36
Registered: ‎05-12-2011

Cisco ASA VPN - Returning IETF-Framed-IP-Address

[ Edited ]

Using Clearpass, I have configured a new Generic RADIUS Service that takes RADIUS calls from IPSEC/L2TP VPN users from a Cisco ASA 5510 8.2 firewall (only thing I have yet to move to Clearpass from NPS). Tests work great for authenication and authorization. Almost there.

 

I am having trouble knowing how exactly to approach passing the static IP address value stored in AD for some users. NPS has a little checkbox that passes back that value as the IETF-Framed-IP-Address I believe, but I am at a loss as to how to achieve this in Clearpass.

 

I think I need to make the Enforcement Profile pass it back, but I have no idea what to put in the value field of the profile. Can one of the brilliant airheads please advise?

 

Capture.PNG

 

Many thanks,

 

Aaron

 

Edit: Clarified the fact that RADIUS was for VPN users

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Cisco ASA VPN - Returning IETF-Framed-IP-Address

[ Edited ]

Where is it stored in AD? Is it in a text field or are you using the dial-in static IP address option?

 

If it's the dial-in static IP address field, the data is stored in decimal and may be difficult to convert on the fly to return to the ASA.

 

ad-staticvpn-1.JPG

 

ad-staticvpn-2.JPG

 

If it's a more generic text attribute, we can return it verbatim.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 36
Registered: ‎05-12-2011

Re: Cisco ASA VPN - Returning IETF-Framed-IP-Address

It does seem to be an integer in AD. rats!

 

That would prove difficult to hand back over to the ASA in that format :)

 

Thanks for looking into this for me!

 

Aaron

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Cisco ASA VPN - Returning IETF-Framed-IP-Address

Are you using the dial-in settings for anything other than the ASA (no traditional MS rras)?

You can easily create a custom AD attribute with type string then use a powershell script to copy the existing entries from dial-in.

You'd then be able to reference the value in ClearPass without any conversion and pass it via RADIUS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 36
Registered: ‎05-12-2011

Re: Cisco ASA VPN - Returning IETF-Framed-IP-Address

No, we are only using that one field in the Dial-In Settings, and then only for the ASA's VPN.

 

Creating that custom AD attribute would certainly fit the bill, but I don't really use it but for a handful of people.

 

If an attribute were in a useful string state, how would I pass it back as a RADIUS attribute? If you don't want to explain it and want to point me to the right section in the documentation, that's cool too!

 

Thanks,

 

Aaron

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Cisco ASA VPN - Returning IETF-Framed-IP-Address

You would use the parameterized string. Here is an example returning the the dial-in static IP value:

 

%{Authorization:<AD-Source-Name>:<Attribute-Name}

 

Here's an example for mine:

 

%{Authorization:AD_timcappalli-com:DialIn-StaticIP}

 

enf-ietf-framed-ad.JPG

 

Since this is not a "typical" attribute for you to use in ClearPass from an AD source, you'll need to define it in your AD authentication source (that's why it has a more user friendly name).

 

On the attaributes tab of your AD source, click the "Authentication" filter, and add an attribute at the bottom. The "Name" is the exact attribute name in AD (easiest way to find all the attribiutes is to look at an account in ADSI Edit). "Alias Name" is what will be displayed in ClearPass as the attribute name. Choose string in this case.

 

This attribute will now be available for that AD authorization source in ClearPass.

 

ad-msradius-attribute.JPG

 

ad-msradius-request.JPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: