Cisco ACS allocate an address from two pools

Unanswered Question
Jan 29th, 2008

I have a Cisco ACS Server version 3.3

I have devices connecting to a remote cell network that routes through to the local corporate network. At the remote end they either connect to network 192.168.12.0 or network 192.168.13.0, this is dynamic and cannot be fixed. They then route through a single router to a local router via a single point to point line. The local router then connects to a firewall.

The devices (or rather users) are authenticated at connection time using a local ACS Server (the corporate side of the firewall).

The problem I have is that if I create two pools e.g. Net12 for 192.168.12.0 addresses and Net13 for 192.168.12.0, and apply these two pools to the group that all these remote users are defined under in ACS they only ever get addresses from the first pool i.e Net12, 192.168.12.0.

The consequence is when they connect via network 192.168.13.0 they are given addresses in network 192.168.12.0 as this is the first defined pool. Obvioulsy they cannot communicate as they now have wrong addresses for the network they are on.

How can I get them assigned addresses in Net12 if they come from that network or Net13 if they come from that network? The ACS Server doesn't seem to follow the normal rules of supplying addresses based on where the source request is coming from.

Any help on this would be much appreciated.

Paul Kyte

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dongdongliu Tue, 01/29/2008 - 22:44

192.168.12.0 255.255.254.0 include 192.168.12.0 255.255.255.0 and

192.168.13.0 255.255.255.0

do you think so ?

paul.l.kyte Wed, 01/30/2008 - 02:50

No this will not work, it will still issue addresses from the start of the pool hence a Net13 (192.168.13.0) user will get a Net12 (192.168.12.0) address resulting in no comms.

Does anybody know how I can resolve the problem?

Thanks,

Paul

dongdongliu Wed, 01/30/2008 - 19:03

sorry Paul, I mean,

why pool Net12 and Net13 can not be merged into one Pool Net12_13 and 23 bite mask is used ?

paul.l.kyte Thu, 01/31/2008 - 08:33

No it cannot be a single pool containing all addresses.

What is required is for the ACS Server to supply a Net12 address if the users is on Network 12 i.e. the NAS or AAA Client sending the authentication has a network 12 address. Or for the ACS to supply a Net13 address if the users is on Network 13 i.e. the NAS or AAA Client sending the authentication has a network 13 address.

The ACS isn't doing this it is supplying the first available address fromthe defined pools regardsless of the network the client is on.

How do I make the ACS supply an address appropriate to where client is?

Before anyone advises it, I can't use DHCP to issue the addresses as the clients are on a third party network that will not allow this. What I need is for the ACS to be intelligent and supply an address based on the clients source network.

Thanks,

Paul

Actions

This Discussion