SSL VPN
Reply
Contributor
Posts: 138
Registered: ‎03-17-2008
0

network connect - assign ip address per user

how to?

any ideas?

rock the boat , dont sink the ship
Juniper Employee
unns
Posts: 24
Registered: ‎03-22-2010
0

Re: network connect - assign ip address per user

Hello

 

You need to define a pool of addresses which can be used by users under Network connect profile (Resource policies -> NC -> NC profile)

 

When end users launch NC it creates virtual adapter and one of IP from pool is used.

You can also use DHCP server to allocate address which is available under NC profile settings.

 

End-users sign in over an Internet connection, using an IP address from a
Network Connect IP address pool, to reach the DNS server on the MSP
network.

 

To view NC IP information, go to Status -> Active users and it will list NC ip

 

In an Active/Active cluster, the Network Connect IP address pool for each IVS is split across individual cluster
nodes by way of role-level settings.

 

Please accept this as a solution if it answers your question.

 

Unnati

JNCIS - SSL VPN

Trusted Contributor
Mrkool
Posts: 248
Registered: ‎02-28-2008
0

Re: network connect - assign ip address per user

if you are trying to assign users with non random IP than you can achieve this by RADIUS attributes if you are using two factor

SA-6500 (7.3R3) Production
MAG 4610 (7.4) Lab
Visitor
plago
Posts: 8
Registered: ‎04-05-2010
0

Re: network connect - assign ip address per user

I was able to do this via LDAP integration. Essentially I statically set the IP address I wanted for a user within the IP Phone attribute (you can use whatever attribute you wish). Once set inside your LDAP system (I used Microsoft AD) create a Connection Profile and select the IP address Pool radio button under the IP Address Assignment section. Inside the IP Address Pool field enter the LDAP attribute. In my case it was <userAttr.ipPhone>. Hope that helps.

Contributor
ed_gpc
Posts: 194
Registered: ‎09-21-2010
0

Re: network connect - assign ip address per user

Hi Plago,

 

I know it's been a couple years since this post, but I was wondering if this is still working for you.

 

I have an SA6000  on 7.1r6 and if I use <userAttr.ipPhone> I cannot login as it doesn't find any IP pools for the connection.

 

Thanks!

Contributor
haas
Posts: 109
Registered: ‎06-27-2008
0

Re: network connect - assign ip address per user

This was a real bear to get up and running a year or so ago. Just make sure once you have the AD side setup and an ip address in the users AD profile that you have a NC Connections Profile setup in the IVE pointing towards the correct ROLE for that user. As well in the NC Connections Profile under "ip addresses" make sure you have the <userAttr.ipPhone> statement in there.

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: network connect - assign ip address per user

I do this with the Radius attribute assignedaddress. 

 

You need to figure out if the problem is with getting the parameter to the SA or applying the parameter to the session.  Use policy tracing to ensure that the value of userAttr.ipPhoneis reaching the Juniper.  If it is not, the most likely issue is that it is not in the Server Catalog for your LDAP server.

 

As others have said, the address pool for the NC connection profile must contain <userAttr.ipPhone>.

 

Last, you must ensure that any address used is represented in the Network Connect subnets under Network>>Network Connect.  If "*" is coded there, you are fine with any address.  Otherwise, the subnet that userAttr.ipPhone belongs to must be in that list.

 

Ken

Moderator
zanyterp
Posts: 2,270
Registered: ‎11-19-2007
0

Re: network connect - assign ip address per user

[ Edited ]

ed_gpc wrote:

Hi Plago,

 

I know it's been a couple years since this post, but I was wondering if this is still working for you.

 

I have an SA6000  on 7.1r6 and if I use <userAttr.ipPhone> I cannot login as it doesn't find any IP pools for the connection.

 

Thanks!


how are you authenticating? if you do not utilize LDAP you will not have access to the attribute. if you are using LDAP, do you have the attribute added to the server catalog (signing in>auth servers>ldapServerName, server catalog>attributes)? and that value must be populated in your directory server config.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.