We have a Cisco ASA firewall which has VPN access configured on it. Currently it assigns IP address to clients from the address pool administered by itself (ASA). User authentication is done by a RADIUS server (MS Network Policy Server). We also have Microsoft Active Directory environment.
Few of the PCs (Windows 7 OS) which do NOT belong to the company domain have Shrew Soft VPN clients installed. We need to access resources on them via this dynamic VPN connection (i.e. access them via hostname.contoso.com:1234).
To do that, I presume we need them to either have static IP addressess which we would have in advance or have these clients update DNS server with their current VPN adapter IP address.
We have tried so far:
- Configuring static IP address on Shrew Soft VPN client software. Doesn't work - ASA will refuse to establish VPN tunnel with the device if VPN software has static IP defined. If we could make ASA accept this static IP, this could be a solution.
- Configuring ASA to use MS DHCP server as a source to get IP address for clients. Addresses are issued just fine, the problem is that we cannot make a DHCP reservation because we see no MAC address. In the "Unique ID" field we have some very long hex string (~60 characters). Tried to create DHCP reservation using that field, but it appears that this string has one character which auto-increments with each VPN connection attempt. If we could make it static - this could be a solution.
- There is an option (I would say, an ugly one) to create local user accounts on Cisco ASA for these users in question and assign them IP addresses via ASA policy, keep all the other users connect via RADIUS authentication as before via their current VPN profile. This would perhaps be our last resort..
- Currently we are exploring option to use PowerShell script which would run locally on the PC which would
a) call VPN client and establish tunnel
b) find out the IP address assigned to the virtual VPN adapter
c) ask DNS server to delete old "A" entry for that host and create new "A" entry with the new IP address.
The problem with the last one is that to send an update to DNS server you need to have proper rights to access DNS server (which is also AD Domain Controller), that would mean embedding these credentials in the script which is not also a pleasant option.
Is there anything we are missing? Anything which we could use in addition to the above mentioned? Or tweak some existing option and get it to work somehow?
Would appreciate any help!