User-Mapped Tunnel Addressing
User-Mapped Tunnel Addressing enables network administrators to identify network traffic from a specific user
by the source IPv4 address of the traffic.
On an internal network, administrators may sometimes be able to associate specific end users with specific IPv4
addresses, that are assigned to the user by the administrator.
Although assigning IP addresses to specific users is currently supported through the use of external RADIUS
servers, User-Mapped Tunnel Addressing enables administrators to specify the assignment from an attribute in
the appliance's local authentication server.
Administrators who deploy a RADIUS server as their authentication server can include an IPv4 address in the
RADIUS Framed IP Address parameter for a specific user and associate that user's Community with a RADIUS
address pool. This type of assignment can be done only if the address is available and no addressing conflicts
If an address conflict prevents this type of assignment, the normal tunnel addressing process
continues with the next tunnel in the list that is allowed by the Community. If no more pools are available,
the tunnel configuration fails.
The RADIUS Pool in the Configure Network Tunnel Service is now called the User-Mapped Pool. When a
RADIUS-framed IP address is available from the authentication server, that address is available to the
User-Mapped Pool. An IPv4 address that is provided by a user’s local authentication server, is also available to
the User-Mapped Pool and is used exactly the same as if it was from the RADIUS Pool. The User-Mapped Tunnel
Addressing feature extends user-mapped addresses to the local user’s authentication server. No other address
pools may supply addresses.
More than one address may be obtained from the authentication server, enabling a single user to establish
more than one tunnel simultaneously, on separate devices. The number of simultaneous tunnel connections
that a single user can establish can be configured by specifying the number of addresses for a user in the
authentication server. This value can also be configured by setting the Maximum Active Sessions limit for all
users of a particular community on the Configure Community page.
The User-Mapped Tunnel Address Pool, like RADIUS, can be used to provide a strict correspondence (or
mapping) between virtual IPv4 addresses and tunnel clients. You can specify that a particular client gets a virtual
address from a particular pool on the Network Tunnel Client Settings page. The client is assigned to a specific
community and that community only gets IPv4 addresses from a particular address pool.
The User-Mapped Tunnel Address Pool attempts to establish an IPv4 address as the tunnel virtual address at
tunnel connect time. If the address is available and no client-side conflicts arise, the virtual address is assigned.
If the address fails, then the system proceeds to the next address pool in the list allowed by the community. If no
other address pools are available, the tunnel connection attempt fails.
The authentication server used to get IPv4 addresses is not limited to its own authentication server. The
User-Mapped Tunnel Address Pool may get addresses from its own authentication server or from the client’s
local authentication server.
The authentication server may supply an ordered list of IPv4 addresses, not just a single address, so that you can
assign multiple simultaneous tunnel connections to a single client, on separate devices.
On the Security Administration > Users & Groups page, on the Add Local User page, under the Advanced section, you can configure the following fields:
To edit local users information
In the AMC, navigate to Security Administration > Users & Groups.
Click Local Accounts and then click on the Name of the local account you want to edit.
Expand the Advanced section to access the additional options.
In the Email Address field, configure an email address for the user. This address is used for sending one-time passwords to the user, and overrides the default
username@domain email address. This email address is assigned to the “mail” attribute for the user.
In the Device identifier(s) field, enter one or more (comma-delimited) device identifiers for computers or other devices that are associated with this user.
In the IP address(es) field, enter either a single IPv4 address or list of IPv4 addresses (comma-delimited). If you enter a:
Single IPv4 address, each IPv4 address should match the network address of the resource interface.
List of IPv4 addresses, these addresses are presented to the User-Mapped Tunnel Address Pool, in the order they appear in the list.
Was This Article Helpful?
Help us to improve our support portal