How to assign IP address to VPN client with PIX 6.3 and ACS

Unanswered Question
Jun 7th, 2007

Helo,

I have working environment with PIX 6.3 and remote VPN clients 4.x.

Authentication and IP assignmnet are done localy via the following commands

crypto map outside_map client authentication LOCAL

ip local pool

Now our customer wants to implement Cisco ACS.

Users can authenticate via ACS Radius, but how can ACS Radius assign IP address to VPN clients.

Which command must i setup on PIX and what is the procedure for ACS Radius ?

Best regards

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaffer_sathik2010 Fri, 06/08/2007 - 02:11

Hi Mark,

You need to enable Radius/TACACS+ protocol in your PIX device and then configure the IP Address of the host where your ACS is running up.

Here are the commands:

PIX(config)#aaa-server protocol

radius

PIX(config)#aaa-server inside host x.x.x.x y.y.y.y timeout

*keystring is nothing like a password to access the ACS server running at the location x.x.x.x y.y.y.y

Finally, change the client authentication method from LOCAL to radius.

The command to do is:

PIX(config)#crypto map client authentication RADIUS.

After configuring the PIX box, Install the ACS at the respective location.ACS will allow you to create user account and grouping of users,configuring user credential etc., there you will find a option to define the range of IP addresses for the VPN clients.

Once a VPN client is authenticated by the ACS server,it allocate a ip to the client from it's configured range.

Please rate all helpful posts.

--Jaffer

marko.rahne Tue, 06/12/2007 - 00:08

I configure exatcly as you said.

But what about pool.

a) if i remove this command no ip address is assigned to client; I assigned IP address in ACS section "client ip address assignemnet"

vpngroup vgroup1 address-pool vpnpoool (vpnpool is defined as local pool)

b)

vpngroup vgroup1 address-pool ACSpoool

if i configure this command, i received error

"no local pool configured"

jaffer_sathik2010 Tue, 06/12/2007 - 01:26

Hi,

Those two commands are not necessary.

a)No need to create a pool of IP address in PIX device since you would have already configured in ACS server.

b)It will definitely throw error b'coz 'ACSpool' is configured in the ACS server and not in the PIX device.

As I mentioned earlier remove these two commands and check whether VPN client users are authenticated by the ACS server or not.

After the successful authentication, ACS will assign a ip adderss from the Pool 'ACSPool'.

If there is a problem in the authentication itself, check the 'aaa-server' configuration commands.

Revert me back if you have any further issues.

--Jaffer

marko.rahne Wed, 06/13/2007 - 05:01

I successfully autheticate, but still not received IP address. I try with the following settinng on ACS (user or group properties)

-Assign static IP address

-Assigned by AAA client pool

-Assigned from AAA pool

1) config of my PIX

vpngroup SiingVPN default-domain mura.si

vpngroup SiingVPN idle-time 1800

vpngroup SiingVPN password ********

aaa-server ACSMURA protocol radius

aaa-server ACSMURA max-failed-attempts 3

aaa-server ACSMURA deadtime 10

aaa-server ACSMURA (outside) host 84.255.228.142 PIXmuratoACS2007 timeout 10

crypto map outside_map client authentication ACSMURA

2)error on VPN client

2 14:47:38.921 06/13/07 Sev=Warning/2 IKE/0xE3000023

No private IP address was assigned by the peer

3 14:47:38.921 06/13/07 Sev=Warning/2 IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

guzman_barrio Fri, 10/19/2007 - 06:08

Marko, my name is Guzmán from Uruguay. I'm having the same problem that you and I want to know if you can solve it. If that, can you say me how resolve the problem?

Actions

This Discussion