Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, February 4, 2011 10:30 AM
Hi All,
Can we configure attribute <msradiusframedipaddress> with MS IAS Server ?
Please help ..
Regards,
Dhruv Sharma
All replies (4)
Friday, February 4, 2011 2:57 PM âś…Answered
Hi Dhruv,
This question may be better suited for the TMG/ISA forum: http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/
Maybe a moderator can move this thread for us?
In the meantime, here are some links on it:
======
IAS <msradiusframedipaddress> attribute
Dial-In Property February 25th, 2006 - 06:46 pm ET by Matthew Ciantar
I am trying to modify the the Active Directory Dial-In Property programatically
http://us.generation-nt.com/answer/dial-property-help-77168152.html
http://help.lockergnome.com/windows2/Dial-Property--ftopict453581.html
======
To enter the IP address in the attribute, it must be entered as a 9 digit Decimal Number
To enter/configure this attribute, the IP address must be converted to a Decimal Number. Using the example, 172.29.255.130, here are the steps:
172.29.255.130 = AC.1D.FF.82 = AC1DFF82
(FFFFFFFF - AC1DFF82) + 1 = 1407320190
Then add neg sign number = -1407320190
msRADIUSFramedIPAddress = -1407320190
You can also use a script to convert the IP address to a 9 digit Decimal number:
http://www.wisesoft.co.uk/Scripts/activedirectoryschema.aspx?Page=DialIn
(Click the user dialog for script examples)
The scripts includes "IP Address to Integer" and "Integer to IP Address" functions.
Addition links on the scripts:
http://www.wisesoft.co.uk/Scripts/display_script.aspx?id=353
http://www.wisesoft.co.uk/Scripts/display_script.aspx?id=354
Converting IP Address to 9 Digit Decimal Number for msRADIUSFramed
http://www.eggheadcafe.com/software/aspnet/31753564/converting-ip-address-to-9-digit-decimal-number-for-msradiusframed.aspx
======
Specifics on the msRADIUSFramedIPAddress Attribute
Defined: msRADIUSFramedIPAddress Attribute
Caution: The msRADIUSFramedIPAddress attribute is used internally. Do not modify this value directly.
Applies to Windows 2000, 2003, 2003 R2, 2008 & 2008 R2
http://msdn.microsoft.com/en-us/library/ms678119(v=vs.85).aspx
However, it can be conifgured by scripting it:
Write msRADIUSFramedIPAddress (Assigned Static IP Address) attribute
http://www.wisesoft.co.uk/scripts/vbscript_write_msradiusframedipaddress_attribute_.aspx
To find the current configured attribute:
Read msRADIUSFramedIPAddress (Assigned Static IP Address ...Mar 2, 2008 ... Read the msRADIUSFramedIPAddress attribute. The "Assign a Static IP Address" attribute in the "Dial-In" page of the user dialog in Active ...
http://www.wisesoft.co.uk/scripts/vbscript_read_msradiusframedipaddress_attribute_.aspx
The 2.445 Attribute msRADIUSFramedIPAddresscn:
msRADIUSFramedIPAddress ldapDisplayName: msRADIUSFramedIPAddress ...
http://msdn.microsoft.com/en-us/library/cc220505(v=prot.13).aspx
Converting IP Address to 9 Digit Decimal Number for msRADIUSFramed http://www.eggheadcafe.com/software/aspnet/31753564/converting-ip-address-to-9-digit-decimal-number-for-msradiusframed.aspx
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, February 9, 2011 10:47 AM
Hi Ace,
Thanks a lot for the information. I went through links provided and it states 2 imp points.
1. Change the IP Address to 9 digit Decimal Number
2. We need to to use a script that will enable an option in the MS IAS Server.
http://msdn.microsoft.com/en-us/library/cc220505(v=prot.13).aspx
Please confirm where and how I have to use this script in the AD / LDAP.
Regards,
Dhruv
Wednesday, February 9, 2011 11:01 AM
Hi Ace,
Further I tried using the script provided, it is just an read script for reading static IP address from the user profile.
http://www.wisesoft.co.uk/scripts/vbscript_read_msradiusframedipaddress_attribute_.aspx
But I cannot able to find any attributes in IAS to find the attibute.
I can find framed ip address attribute but could not able to find the same for msframed ip address
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html
Any clues ?
Regards,
Dhruv
Thursday, February 10, 2011 4:08 AM
Actually, the msRADIUSFramedIPAddress is the Static IP you assign a user account in Active Directory (user account properties, Dial-in tab), when you want to force the same IP all the time for a specific user when they dialin or use VPN.
It's not something you would change in IAS. You can tell IAS to use the attribute to provide an account the same specific static IP when they connect. If IAS if a domain member, it will recognize AD and all the attributes in the Schema and you take advantage of that fact offering finite control, such as setting a specific IP.
Make sense so far?
Ok, so now for the next tricky thing, is not all vendors refer to attributes by the same name. Since Microsoft decided to use their own naming structure for many of the AD specific attributes (the attribute starts with an 'ms'), and this I believe is to not cause any conflicts with co-existing systems, Cisco uses a different name. I don't know if the name Cisco uses is the industry common name, but it appears it might be, because it starts with "IETF."
Anyway, Cisco Calls it the IETF-Framed-Radius-IP-Address. If you look at the ASA PDM's "Add LDAP Attribute" window below (which I got from the Cisco link you provided), they show the "customer Attribute" which is where you put in the "msRADIUSFramedIPAddress."
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.