cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect and internal DHCP/DNS questions

Sojourner_
Occasional Contributor

Network Connect and internal DHCP/DNS questions

We have a SA4500 cluster (active/passive) deployed that is currently running 6.5R1. We have reached a point where we need our Network Connect users to either A: get their DHCP leases from an internal DHCP server (InfoBlox) or B: for the IVEs to popoulate the internal DNS devices with the users' info.

Any ideas?

The "A" option appeas to be a dead end. Currently we give IP addresses from specific DHCP ranges based on role memberships, and those ranges are allowed/denied to certain portions of he network by the internal firewall. EX: A user that gets mapped to "corporate" can get to our Exchange server, intranet, etc. whereas a user that gets mapped to "production" gets an IP that allows them to the production servers in the datacenter. So not only do we need to leverage the internal DHCP server, we also need to pass a variable to said internal DHCP server so it knows which IP pool to grant the user a lease from. I've asked our regional Juniper engineer and he doesn't know how to even begin to set this up.

The "B" option is less than ideal, but if we can figure it out, it will suffice as a work-around. We need the IVEs to send registration information to our internal DNS (also handled by the InfoBlox device). This way when our corp anti-virus says "username-xyz" has an issue, they can deal with it without pulling me into the fray to try and track down who the user is since they're connected in via Network Connect. It goes beyond AV- there are a lot of other instances that would benefit from Network Connect users actually registering with our internal DNS.

So has anyone ever set something like this up before? Are there any HOWTO guides laying around that detail how to set this up? This is very quickly becoming a major PITA and we need to find a solution soon.

5 REPLIES 5
MattS_
Frequent Contributor

Re: Network Connect and internal DHCP/DNS questions

Would using the DHCP Options allow you to do the correct IP assignment?

p.659 of the 6.5 Admin Guide:

"DHCP provides a framework for passing configuration information to

hosts. Configuration parameters and other control information are carried

in tagged data items that are stored in the options field of the DHCP

message. You can specify the DHCP options to forward by entering the

option number, its value and type and then clicking

list of DHCP options, see the RFC2132 - DHCP Options and BOOTP

Vendor ExtensionsÓ article available on the Internet. To delete an option,

select the checkbox next to the option number then click the Delete

button.

By default, the clientÕs hostname is sent by the IVE to the DHCP server in

the DHCP host name option (option12.) Passing the useruid in the DHCP

hostname option is no longer supported. As an alternative, you can

configure the following entry in the DHCP options table. For example:

Add. For a complete

option number=12, option value=<username><authMethod>, option type=String

Or you can pass a value by adding an entry in the DHCP options table for

hostname with whatever value you want. For example:

option number=12, option value=foo, option type=String"

As the users are mapped to roles which determine which IP range they should be assigned, could each role have a different NC connection Profile associated with it? These could be configured to use different DHCP servers, so corporate users get mapped to a corporate role and the NC connection profile uses a DHCP server name/IP which will only return IPs from the corporate IP pool.

Sojourner_
Occasional Contributor

Re: Network Connect and internal DHCP/DNS questions

But would that work if it's the same DHCP server handling all of the pools? I can create seperate NC profiles, that's not a problem.

Lord_Edam_
Contributor

Re: Network Connect and internal DHCP/DNS questions

for option B - is it not simply a case of ticking "register this connection's address in DNS" on the Netconnect adapter? you could probably script it with a logon script as well if you don't have easy access to the machines.

I tried getting multiple scopes setup in DHCP on Windows 2003 and it failed, so I just gave up in the end and used IP pools.

stine_
Super Contributor

Re: Network Connect and internal DHCP/DNS questions

I've been trying to make this work as well. I have a pair of dhcp server (CentOS/isc bind 9) and a single SA-2000. I have configured the IVE to send the role in dhcp option 224, and have configured the dhcp servers using

option ive-role code 224 = text; class "sslvpn clients" {         match if ( option vendor-class-identifier = "JNPR.IVE" ) and ( option ive-role = "" ) ; } class "datalink clients" {         match if ( option vendor-class-identifier = "JNPR.IVE" ) and ( option ive-role = "datalink") ;  }

and have the following pools defined

subnet 192.168.126.0 netmask 255.255.255.0 {         pool {                 failover peer                   "sdc-net";                 allow members of                "sslvpn clients";                 deny dynamic bootp clients;                          option routers                  192.168.126.1;                 option subnet-mask              255.255.255.0;                 option domain-name              "tranzdata.local";                 option domain-name-servers      192.168.126.84, 192.168.126.85;                 option domain-search-order      "dlnk.local,tranzdata.local";                 range                           192.168.126.192 192.168.126.224;         }         pool {                 failover peer                   "sdc-net";                 allow members of                "datalink clients";                 deny dynamic bootp clients;                          option routers                  192.168.126.1;                 option subnet-mask              255.255.255.0;                 option domain-name              "tranzdata.local";                 option domain-name-servers      192.168.126.84, 192.168.126.85;                 option domain-search-order      "tranzdata.local,dlnk.local";                 range                           192.168.126.225 192.168.126.254;         }         allow unknown-clients;         ignore client-updates; }

If I only have one dhcp server on-line, it works. when I enable the redundant dhcp server, i get the following error on both servers:

Jun 14 05:20:45 sdc-srvr-1x dhcpd: DHCPDISCOVER from 55:4e:49:00:00:00 via 192.168.126.38: peer holds all free leases

Theoretically, it should work fine, but I haven't completely figured it out yet.

stine_
Super Contributor

Re: Network Connect and internal DHCP/DNS questions

I may have found my problem, I had my userid mapped to mutiple roles, and when I split the roles/NC policies, it exposed a bad network (182.168.0.0/16 instead of the correct 192.168.0.0/16) so ever test I ran failed... I'll try it again after I sleep.