I have my VPN currently setup and all has been working as expected. I now need to be able to have specific laptops assigned the same IP each time. My current vpn pool is relatively small and NAT’s to my primary scope. Any ideas or ways to accomplish it would be appreciated.
My initial thought is you’re doing it wrong. You usually want to track the user that’s logging into the network, not the laptop, but either way, you can do this. We have a similar requirement here where certain VPNs have static IPs assigned to users. The RADIUS server passes the IP as a Framed-IP attribute. I have only proof-of-concepted it on FortiGate, but it did work. You need to specifically enable IP assignment from the RADIUS server in the CLI (at least I did a couple years ago).
Here’s some example doc, but it’s flexible and there’s a couple ways to do it. I had no problem finding a couple other examples on google.
Any RADIUS server should work. We use ClearPass. I’m not sure about TACACS, or AD directly.
Don’t quote me on this but I think this is possible when you disable split tunneling.
I think you could have a firewall rule that filters on device and source NATs the device to the desired IP. This is assuming you are using the full Forticlient, not the VPN only one. This would work for the laptops going to another network. I don’t think you could have another network connect into the laptops. This is due to the destination NAT not knowing what VPN IP would be assigned.
If you indicate why you need this, it may give us context and provide for further options.
I agree its doing it wrong. I have a specific need to keep each computer on the same IP and it really makes it cumbersome.
This has no relation to full/split-tunnel. You just need the IP assignment to be done through RADIUS as that’s the only way to do static assignments currently in a sane way. (the insane way is custom per-user portals with a single-IP IP pools)
DHCP is on the way, so presumably once that’s out DHCP will be usable for static assignments.
I have done similar with Radius before but don’t have one on this site to assign the IP. I am thinking individual portal per computer and a defined ip scope to each vpn portal. Haven’t tested yet but it’s all I can think of.
Its related to a small agency 911 connection. They require it and I can’t figure a better way to do it.
DHCP is on the way
Fingers crossed. I miss this feature from AnyConnect.
Without RADIUS, that’s the only way.
If you have only a handful of users that need it it’s doable, but it absolutely does not scale.
I can’t see SSL VPN as an option for this. You may be able to do this with a Dhcp server config aligned with an IPsec dialup VPN.
I have the same problem because portal limitation by hardware