Secure Mobile Access 12.4 Administration Guide

User-Mapped Tunnel Addressing

User-Mapped Tunnel Addressing enables network administrators to identify network traffic from a specific user by the source IPv4 address of the traffic.

On an internal network, administrators may sometimes be able to associate specific end users with specific IPv4 addresses, that are assigned to the user by the administrator.

Although assigning IP addresses to specific users is currently supported through the use of external RADIUS servers, User-Mapped Tunnel Addressing enables administrators to specify the assignment from an attribute in the appliance's local authentication server.

Administrators who deploy a RADIUS server as their authentication server can include an IPv4 address in the RADIUS Framed IP Address parameter for a specific user and associate that user's Community with a RADIUS address pool. This type of assignment can be done only if the address is available and no addressing conflicts prohibit it.

If an address conflict prevents this type of assignment, the normal tunnel addressing process continues with the next tunnel in the list that is allowed by the Community. If no more pools are available, the tunnel configuration fails.

The RADIUS Pool in the Configure Network Tunnel Service is now called the User-Mapped Pool. When a RADIUS-framed IP address is available from the authentication server, that address is available to the

User-Mapped Pool. An IPv4 address that is provided by a user’s local authentication server, is also available to the User-Mapped Pool and is used exactly the same as if it was from the RADIUS Pool. The User-Mapped Tunnel Addressing feature extends user-mapped addresses to the local user’s authentication server. No other address pools may supply addresses.

More than one address may be obtained from the authentication server, enabling a single user to establish more than one tunnel simultaneously, on separate devices. The number of simultaneous tunnel connections that a single user can establish can be configured by specifying the number of addresses for a user in the authentication server. This value can also be configured by setting the Maximum Active Sessions limit for all users of a particular community on the Configure Community page.

The User-Mapped Tunnel Address Pool, like RADIUS, can be used to provide a strict correspondence (or mapping) between virtual IPv4 addresses and tunnel clients. You can specify that a particular client gets a virtual address from a particular pool on the Network Tunnel Client Settings page. The client is assigned to a specific community and that community only gets IPv4 addresses from a particular address pool.

The User-Mapped Tunnel Address Pool attempts to establish an IPv4 address as the tunnel virtual address at tunnel connect time. If the address is available and no client-side conflicts arise, the virtual address is assigned. If the address fails, then the system proceeds to the next address pool in the list allowed by the community. If no other address pools are available, the tunnel connection attempt fails.

The authentication server used to get IPv4 addresses is not limited to its own authentication server. The User-Mapped Tunnel Address Pool may get addresses from its own authentication server or from the client’s local authentication server.

The authentication server may supply an ordered list of IPv4 addresses, not just a single address, so that you can assign multiple simultaneous tunnel connections to a single client, on separate devices.

On the Security Administration > Users & Groups page, on the Add Local User page, under the Advanced section, you can configure the following fields:

  • Email address

  • Device identifier(s)

  • IP address(es)

To edit local users information

  1. In the AMC, navigate to Security Administration > Users & Groups.

  2. Click Local Accounts and then click on the Name of the local account you want to edit.

  3. Expand the Advanced section to access the additional options.

  4. In the Email Address field, configure an email address for the user. This address is used for sending one-time passwords to the user, and overrides the default username@domain email address. This email address is assigned to the “mail” attribute for the user.

  5. In the Device identifier(s) field, enter one or more (comma-delimited) device identifiers for computers or other devices that are associated with this user.

  6. In the IP address(es) field, enter either a single IPv4 address or list of IPv4 addresses (comma-delimited). If you enter a:

    • Single IPv4 address, each IPv4 address should match the network address of the resource interface.

    • List of IPv4 addresses, these addresses are presented to the User-Mapped Tunnel Address Pool, in the order they appear in the list.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.