Cisco AnyConnect Static IPv6

We are using Cisco AnyConnect to provide VPN for our users (which we authenticate via RADIUS). Recently we needed to provide some users with static IP addresses.

For IPv4 this was easy since the ASA we are using supports RADIUS attribute 8 (Framed-IP-Address). For IPv6 there is an equivalent RADIUS attribute 168 (Framed-IPv6-Address) defined in RFC 6911. Unfortunately the ASA doesn’t support that attribute.

But thanks to the Cisco support we found out that the ASA (starting with version 9.0(1)) does support RFC 3162 (Cisco Bug ID CSCtr65342). What RFC 3162 provides are RADIUS attribute 96 (Framed-Interface-Id) and 97 (Framed-IPv6-Prefix). With these two you can easily provide static IPv6 addresses to your AnyConnect users.

To assign a user the address 2001:db8::42/64 you just set the following attributes in your RADIUS server:

Framed-IPv6-Prefix = 2001:db8:0:0::/64
Framed-Interface-Id = 0:0:0:42

For setting a static IPv6 address for local users one can use vpn-framed-ipv6-address which is documented in the Release Notes and the Command Reference.

Update November 2015:

The support for this is currently broken in ASA 9.1(6) and a couple other versions, there is an open Cisco Bug CSCus34033. In the 9.1 release train (since we are using ASA5520) it should be fixed in ASA 9.1(7) coming up in January.

Leave a Reply

Your email address will not be published. Required fields are marked *