Reset Search



KB12536 - How to set up the Pulse Connect Secure to assign a VPN Tunneling IP address based on LDAP attribute

« Go Back


Last Modified Date4/24/2017 9:29 PM
This article outlines a method of using an LDAP attribute to assign a user specific IP address to that user's VPN Tunnel session.
Problem or Goal
The admin-intensive approach to do this is to have a role created for each user, and then make a VPN Tunneling Connection Profile policy for each of these roles. This is doable, but can quickly get out of hand if there are a large number of users and introduces a lot of administrative overhead.

One alternative solution is to use LDAP Authentication and Authorization for users signing into the IVE and provide for the IVE to pull a specific LDAP attribute containing the IP address to assign for that user. This note outlines a process for accomplishing this.

In this example scenario the LDAP server is a system running Windows Server 2003 with Active Directory.

Step A:
First select an LDAP attribute that can be used to hold the IP address.  One method used to do this is to place a sample IP address in one of the fields available for the user’s properties under Active Directory.  Then, using Standard LDAP Browser (ldp.exe is available in Microsoft Support Tools), look at the LDAP attributes to see if it appears there.
  1. On the Windows Server 2003 computer, go to Start > Administrative Tools > Active Directory Users and Computers.
  2. Find a test user account, right click and select Properties to bring up the Properties dialog box.
  3. One place that is generally available to put an IP address in is the Telephones tab. For this example the text field for IP phone has been populated with the IP address to assign to this user.
  4. Next, find the LDAP Attribute name to use in the NC Connection Profile Configuration using the Standard Browser tool
  5. Start ldp.exe from the command prompt.
  6. Then from LDP, go to Connection > Connect to the AD server.
  7. Next go to Connection > Bind and use the credentials for an admin account.
  8. Go to View > Tree to bring up the LDAP tree in the left hand panel.
  9. Expand down through the tree until you find the test user.
  10. Once you find the entry, double click on it to get the user’s attributes in the right pane.
In the sample case here, we enter a listing for ‘ipPhone:’, which is the IP address to be assigned to this user. Remember the name of the LDAP attribute chosen, in this case ‘ipPhone’.

Step B
Set up the PCS to use LDAP as the directory/attribute server for the realm the users will be logging into. Then use a policy trace to find the exact format for the LDAP user attribute that holds the assigned IP address.
  1. First the LDAP server must be defined at Authentication > Auth. Servers. Notice in the LDAP definition on the PCS, that the Admin DN is defined by the Active Directory display name for the cn value.
  2. At the bottom of the LDAP server page you will see a link for Server Catalog. Click on this link to bring up a Dialog box that will allow you to look at the attributes the IVE pulls from the LDAP server.
  3. Go to the Attributes tab and look for your attribute. If it is not listed there, then it will need to be added; which can also be done on this screen. Once it is added, the dialog box can be closed.
  4. At the realm, the LDAP server is set to be the directory attribute server. Of course, role mapping rules need to be created to map users to the role that will be used for Network Connect.
  5. Now the IVE needs to be set up to get a policy trace (Maintenance > Troubleshooting > User Sessions > Policy Tracing). The only Events to Log needed here are Authentication and Role Mapping.
  6. Once the username and Realm are input for the trace, start the trace by clicking on Start Recording at the bottom of the page. Then log into the Realm using the test user account.
  7. Once the bookmarks page appears, just sign out again.
  8. Go back to the policy trace, Stop Recording, and click View Log. Scrolling down through the trace, you will find the desired IP address listed as the value of the LDAP attribute pulled from the LDAP server. In this case, the LDAP attribute is “userAttr.ipPhone”.
  9. Now set up a VPN Tunneling Connection Profile to use this LDAP attribute in the IP address pool. The VPN Tunneling Connection policy IP address pool is set up to contain: <userAttr.ipPhone>
  10. Remember to set up the other required policies for VPN Tunneling, such as the Access Control list and the role’s configuration settings. Once this is done, the test account can be accessed again to verify that Network Connect does start up and that the proper IP address is getting assigned to the user.
  11. By double-clicking on the Network Connect icon in the taskbar after it starts, you can see the IP address assigned. This should now show the Assigned IP address to be the value of the LDAP attribute.

Please find the scenarios below for the IP's assigned from the SA device for user's Network Connect session,

while using <userAttr.ipPhone> and  range of IP address Pool mentioned in NC Connection Profiles in the device .

Please find the IP address details.-

1) userAttr.ipPhone ==

2) Range of IP address Pool

First Pool == -

First Scenario.
  • While specifying only the  <userAttr.ipPhone> IP address ( in the VPN Tunneling Connection Profiles in the SA device,  then  user would only get this IP address for Network Connect session.

Second Scenario.
  • While specifying only the range of IP addresses in the VPN Tunneling Connection Profiles in the SA device, then user's Network Connect session  is assigned by the first available IP address from the address pool, say in this case first IP is10.141.226.90

Third Scenario.
  • While specifying both <UserAttr.ipPhone> and Range of IP addressess in the VPN Tunneling Connection Profiles in the PCS device, as shown in the screenshot below.


Then, user's VPN Tunneling client session  will be assigned by the IP address of <userAttr.ipPhone>  = , as it is configured in the top of the list in the IP address pool field.

Fourth Scenario.

  • If we assign both UserAttr.ipPhone and IP Pool in the VPN Tunneling Connection Profiles in the {CS device, this time Range of IP addresses comes first on top of the list, as shown in the screenshot below

Then, VPN Tunneling Client user will get the IP address from the top list(range of IP address ), say (first IP in the range of IP address Pool).
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255