locked
Assign IP Address from Pool on Network Protection Server for VPN client RRS feed

  • Question

  • I would like to assign IP address from Pool on Network Protection Server for VPN client, how can i achieve it?

    Situation 1)

    I can assign "static" IP address for dedicated unser under Connection Request Policy.

    Situation 2)

    How can I assign IP address from the pool on Network Policy if the VPN client is hitted "User Group" Conditions?

    Which settings/ attribute can i achieve it? for example: 192.168.0.2-192.168.0.10 assign for this user group.

    Thanks!

    Friday, October 9, 2015 4:10 AM

Answers

  • Hi tim001234,

    Based on my understanding, you want VPN clients that meet connection request policy and network policy to achieve the IP address from a static address pool, such as 192.168.0.1-192.168.0.10.

    We may configure it in Routing and Remote Access Properties. Right click routing and remote access, click properties. Click IPv4, in IPv4 address assignment, select “static address pool”, click add, in the new IPv4 Address Range, we may enter the IP rang you want to assign. When VPN clients meet connection policies, they will get the IP address from this range.

    Best regard,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, October 9, 2015 7:56 AM
  • Hi tim001234,

    NPS support framed-Pool RADIUS attribute, in the attribute we enter the name of the assigned address pool. However, if the NAS server doesn’t support multiple address pools, it will ignore this attribute. You may refer to the RFC2869 for detailed information about Framed-Pool:

    https://www.ietf.org/rfc/rfc2869.txt

    In another word, NPS itself doesn’t function as the server to assign IP address for VPN clients directly, it just authenticate for NAS server and return the attribute to NAS. And the above resolution in my pervious post will have the same function to achieve your goal.

    Besides, here is a similar post for reference:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/11c5a2cc-a31e-4e90-831c-4d78349f6bf5/nps-and-serverside-ip-pooling?forum=winserverNIS

    Best Regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, October 9, 2015 10:01 AM

All replies

  • Hi tim001234,

    Based on my understanding, you want VPN clients that meet connection request policy and network policy to achieve the IP address from a static address pool, such as 192.168.0.1-192.168.0.10.

    We may configure it in Routing and Remote Access Properties. Right click routing and remote access, click properties. Click IPv4, in IPv4 address assignment, select “static address pool”, click add, in the new IPv4 Address Range, we may enter the IP rang you want to assign. When VPN clients meet connection policies, they will get the IP address from this range.

    Best regard,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, October 9, 2015 7:56 AM
  • Dear Anne,

    Thanks for your prompt reply.

    I am using Cisco VPN ASA Gateway, Can NPS assign IP address pool to "User Group" directly?

    For dedicated user, NPS can assign statis IP address directly.

    Friday, October 9, 2015 7:58 AM
  • I found a standard RADIUS Attribute "Framed-Pool" under NPS's Network Policy,

    "Description: Specifies the name of an assigned address pool that should be used to assign an address for the user"

    Can I use this feature to achieve the goal? If yes, how can I do it?

    Friday, October 9, 2015 8:03 AM
  • Hi tim001234,

    NPS support framed-Pool RADIUS attribute, in the attribute we enter the name of the assigned address pool. However, if the NAS server doesn’t support multiple address pools, it will ignore this attribute. You may refer to the RFC2869 for detailed information about Framed-Pool:

    https://www.ietf.org/rfc/rfc2869.txt

    In another word, NPS itself doesn’t function as the server to assign IP address for VPN clients directly, it just authenticate for NAS server and return the attribute to NAS. And the above resolution in my pervious post will have the same function to achieve your goal.

    Besides, here is a similar post for reference:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/11c5a2cc-a31e-4e90-831c-4d78349f6bf5/nps-and-serverside-ip-pooling?forum=winserverNIS

    Best Regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, October 9, 2015 10:01 AM
  • Dear Anne,

    thanks for your reply.

    I am using Cisco ASA VPN Gateway for VPN connection, how can I integrate with NPS and RRAS to provide authentication and IP address assignment?

    Thanks!

    Best Regards,

    Timothy

    Friday, October 9, 2015 3:46 PM
  • Hi tim001234,

    Pity to say that I don't have experience of using Cisco device with framed-pool attribute to deploy IP address assignment for VPN connection. What I have ever tested is use Routing and Remote Access Properties as I have mentioned above to assign IP address from a static pool for VPN clients.

    And as far as I'm concerned, this method will have the similar effect with our expectation, and it is easy to configure.

    Best Regards,

    Anne He


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, October 28, 2015 9:20 AM