I have a quick query regarding AAA IP assignment for Anyconnect clients:
A little backstory; the client currently has Anyconnect remote access configured using a AAA radius server for authentication and a local IP pool on the ASA. My predecessor was trying to create a new tunnel group using DHCP for address allocation for certain clients so they could configure it allocate the same IP to the user each time. Unfortunately DHCP proxy is not allowed due to DHCP relay already being in use on the same interface, so using a DHCP server is out. I've read that you can allocate an address on a per user basis if the users are local on the ASA but I doubt the client will be happy with that. This leaves AAA address assignment, referenced here:
My question is how does this behave? The client wants to keep the local IP pool for most clients, but the article suggests that AAA address allocation is enabled globally, not on a per tunnel group basis. What will happen if I enable it? Will it break the old tunnel group that is using the same authentication server group, but has it's own local address pool? Or am I ok as the old tunnel group references the local IP pool and will use this over the AAA allocation?
AAA Service Framework Overview
The authentication, authorization, and accounting (AAA) Service Framework provides a single point of contact for all the authentication, authorization, accounting, address assignment, and dynamic request services that the router supports for network access. The framework supports authentication and authorization through external servers, such as RADIUS. The framework also supports accounting and dynamic-request change of authorization (CoA) and disconnect operations through external servers, and address assignment through a combination of local address-assignment pools and RADIUS.
When interacting with external back-end RADIUS servers, the AAA Service Framework supports standard RADIUS attributes and Juniper Networks vendor specific attributes (VSAs). The AAA Service Framework also includes an integrated RADIUS client that is compatible with RADIUS servers that conform to RFC-2865, Remote Authentication Dial In User Service (RADIUS), RFC-2866, RADIUS Accounting, and RFC-3576, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), and which can initiate requests.
You create the following types of configurations to manage subscriber access.
- Authentication—Authentication parameters defined in the access profile determine the authentication component of the AAA processing. For example, subscribers can be authenticated using an external authentication service such as RADIUS.
- Accounting—Accounting parameters in the access profile specify the accounting part of the AAA processing. For example, the parameters determine how the router collects and uses subscriber statistics. You can also configure AAA to enable the router to collect statistics on a per-service session basis for subscribers.
- RADIUS-initiated dynamic requests—A list of authentication server IP addresses in the access profile specify the RADIUS servers that can initiate dynamic requests to the router. Dynamic requests include CoA requests, which specify VSA modifications and service changes, and disconnect requests, which terminate subscriber sessions. The list of authentication servers also provide RADIUS-based dynamic service activation and deactivation during subscriber login.
- Address assignment—The AAA Service Framework assigns addresses to subscribers based on the configuration of local address-assignment pools. For example, the AAA framework collaborates with RADIUS servers to assign addresses from the specified pools.
- Subscriber secure policy—RADIUS VSAs and attributes provide RADIUS-initiated traffic mirroring on a per-subscriber basis.