Vous êtes sur la page 1sur 6

How to set up the IVE to assign a Network Connect IP address based on LDAP

attribute

SUMMARY:
This article outlines a method of using an LDAP attribute to assign a user specific IP address to
that user's Network Connect session.

PROBLEM OR GOAL:
Network Connect generally uses an IP address pool or DHCP server to obtain an IP address for a
user session.
However sometimes there is a need to have a specific IP address assigned to each user that uses
Network Connect.

SOLUTION:
The admin-intensive approach to do this is to have a role created for each user, and then make a
Network Connect Connection Profile policy for each of these roles. This is doable, but can
quickly get out of hand if there are a large number of users and introduces a lot of administrative
overhead.
One alternative solution is to use LDAP Authentication and Authorization for users signing into
the IVE and provide for the IVE to pull a specific LDAP attribute containing the IP address to
assign for that user. This note outlines a process for accomplishing this.
In this example scenario the LDAP server is a system running Windows Server 2003 with Active
Directory.
Step A:
First select an LDAP attribute that can be used to hold the IP address. One method used to do
this is to place a sample IP address in one of the fields available for the users properties under
Active Directory. Then, using Standard LDAP Browser (ldp.exe is available in Microsoft
Support Tools), look at the LDAP attributes to see if it appears there.
1. On the Windows Server 2003 computer, go to Start > Administrative Tools > Active
Directory Users and Computers.
2. Find a test user account, right click and select Properties to bring up the Properties dialog
box.
3. One place that is generally available to put an IP address in is the Telephones tab. For this
example the text field for IP phone has been populated with the IP address to assign to
this user.
4. Next, find the LDAP Attribute name to use in the NC Connection Profile Configuration
using the Standard Browser tool
5. Start ldp.exe from the command prompt.

6. Then from LDP, go to Connection > Connect to the AD server.


7. Next go to Connection > Bind and use the credentials for an admin account.
8. Go to View > Tree to bring up the LDAP tree in the left hand panel.
9. Expand down through the tree until you find the test user.
10. Once you find the entry, double click on it to get the users attributes in the right pane.
In the sample case here, we enter a listing for ipPhone: 172.18.65.210, which is the IP address
to be assigned to this user. Remember the name of the LDAP attribute chosen, in this case
ipPhone.
Step B
Set up the IVE to use LDAP as the directory/attribute server for the realm the users will be
logging into. Then use a policy trace to find the exact format for the LDAP user attribute that
holds the assigned IP address.
1. First the LDAP server must be defined at Authentication > Auth. Servers. Notice in the
LDAP definition on the IVE, that the Admin DN is defined by the Active Directory
display name for the cn value.
2. At the bottom of the LDAP server page you will see a link for Server Catalog. Click on
this link to bring up a Dialog box that will allow you to look at the attributes the IVE
pulls from the LDAP server.
3. Go to the Attributes tab and look for your attribute. If it is not listed there, then it will
need to be added; which can also be done on this screen. Once it is added, the dialog box
can be closed.
4. At the realm, the LDAP server is set to be the directory attribute server. Of course, role
mapping rules need to be created to map users to the role that will be used for Network
Connect.
5. Now the IVE needs to be set up to get a policy trace (Maintenance > Troubleshooting >
User Sessions > Policy Tracing). The only Events to Log needed here are Authentication
and Role Mapping.
6. Once the username and Realm are input for the trace, start the trace by clicking on Start
Recording at the bottom of the page. Then log into the Realm using the test user account.
7. Once the bookmarks page appears, just sign out again.
8. Go back to the policy trace, Stop Recording, and click View Log. Scrolling down
through the trace, you will find the desired IP address listed as the value of the LDAP

attribute pulled from the LDAP server. In this case, the LDAP attribute is
userAttr.ipPhone.
9. Now set up a Network Connect Connection Profile to use this LDAP attribute in the
IP address pool. The NC Connection policy IP address pool is set up to contain:
<userAttr.ipPhone>

10. Remember to set up the other required policies for Network Connect, such as the Access
Control list and the roles configuration settings. Once this is done, the test account can
be accessed again to verify that Network Connect does start up and that the proper IP
address is getting assigned to the user.
11. By double-clicking on the Network Connect icon in the taskbar after it starts, you can
see the IP address assigned. This should now show the Assigned IP address to be the
value of the LDAP attribute.
Note:Please find the scenarios below for the IP's assigned from the SA device for user's
Network Connect session ,
while using <userAttr.ipPhone> and range of IP address Pool mentioned in
NC Connection Profiles in the device .

Please find the IP address details.1) userAttr.ipPhone == 10.141.226.101(say)


2) Range of IP address Pool
First Pool == 10.141.226.90 - 10.141.226.110(say)
First Scenario.

While specifying only the <userAttr.ipPhone> IP address (10.141.226.101) in the NC


Connection Profiles in the SA device, then user would only get this IP address for
Network Connect session.

Second Scenario.

While specifying only the range of IP addresses in the NC Connection Profiles in the
SA device,then user's Network Connect session is assigned by the first available IP
address from the address pool, say in this case first IP is10.141.226.90

Third Scenario.

While specifying both <UserAttr.ipPhone> and Range of IP addressess in the NC


Connection Profiles in the SA device, as shown in the screenshot below.

.
Then, user's NC client session will be assigned by the IP address of <userAttr.ipPhone> =
10.141.226.101 , as it is configured in the top of the list in the IP address pool field.
Fourth Scenario.

If we assign both UserAttr.ipPhone and IP Pool in the NC Connection Profiles in the


SA device, this time Range of IP addresses comes first on top of the list, as shown in the
screenshot below

Then, Network Connect Client user will get the IP address from the top list(range of IP
address ), say 10.141.226.90(first IP in the range of IP address Pool).

http://kb.juniper.net/InfoCenter/index?
page=content&id=KB26427&actp=search&viewlocale=en_US&searchid=12369100
32468
http://kb.juniper.net/InfoCenter/index?page=content&id=KB26409
http://kb.juniper.net/InfoCenter/index?page=content&id=KB22019
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21953
http://kb.juniper.net/InfoCenter/index?
page=content&id=KB19325&actp=search&viewlocale=en_US&searchid=14291876
44346
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25802
http://www.juniper.net/techpubs/content-applications/contentexplorer/#cat=Configure&family=SA+Series