Re: network connect - assign ip address per user

player_ · ‎03-28-2010

how to?

any ideas?

unns_ · ‎04-01-2010

Hello

You need to define a pool of addresses which can be used by users under Network connect profile (Resource policies -> NC -> NC profile)

When end users launch NC it creates virtual adapter and one of IP from pool is used.

You can also use DHCP server to allocate address which is available under NC profile settings.

End-users sign in over an Internet connection, using an IP address from a
Network Connect IP address pool, to reach the DNS server on the MSP
network.

To view NC IP information, go to Status -> Active users and it will list NC ip

In an Active/Active cluster, the Network Connect IP address pool for each IVS is split across individual cluster
nodes by way of role-level settings.

Please accept this as a solution if it answers your question.

Unnati

JNCIS - SSL VPN

Mrkool_ · ‎04-01-2010

if you are trying to assign users with non random IP than you can achieve this by RADIUS attributes if you are using two factor

plago_ · ‎04-05-2010

I was able to do this via LDAP integration. Essentially I statically set the IP address I wanted for a user within the IP Phone attribute (you can use whatever attribute you wish). Once set inside your LDAP system (I used Microsoft AD) create a Connection Profile and select the IP address Pool radio button under the IP Address Assignment section. Inside the IP Address Pool field enter the LDAP attribute. In my case it was <userAttr.ipPhone>. Hope that helps.

ed_gpc_ · ‎05-09-2012

Hi Plago,

I know it's been a couple years since this post, but I was wondering if this is still working for you.

I have an SA6000 on 7.1r6 and if I use <userAttr.ipPhone> I cannot login as it doesn't find any IP pools for the connection.

Thanks!

haas_ · ‎05-10-2012

This was a real bear to get up and running a year or so ago. Just make sure once you have the AD side setup and an ip address in the users AD profile that you have a NC Connections Profile setup in the IVE pointing towards the correct ROLE for that user. As well in the NC Connections Profile under "ip addresses" make sure you have the <userAttr.ipPhone> statement in there.

kenlars_ · ‎05-10-2012

I do this with the Radius attribute assignedaddress.

You need to figure out if the problem is with getting the parameter to the SA or applying the parameter to the session. Use policy tracing to ensure that the value of userAttr.ipPhoneis reaching the Juniper. If it is not, the most likely issue is that it is not in the Server Catalog for your LDAP server.

As others have said, the address pool for the NC connection profile must contain <userAttr.ipPhone>.

Last, you must ensure that any address used is represented in the Network Connect subnets under Network>>Network Connect. If "*" is coded there, you are fine with any address. Otherwise, the subnet that userAttr.ipPhone belongs to must be in that list.

Ken

zanyterp_ · ‎06-20-2012

@ed_gpc wrote:

Hi Plago,

I know it's been a couple years since this post, but I was wondering if this is still working for you.

I have an SA6000 on 7.1r6 and if I use <userAttr.ipPhone> I cannot login as it doesn't find any IP pools for the connection.

Thanks!

how are you authenticating? if you do not utilize LDAP you will not have access to the attribute. if you are using LDAP, do you have the attribute added to the server catalog (signing in>auth servers>ldapServerName, server catalog>attributes)? and that value must be populated in your directory server config.