Pix 515: address pool assigned by radius

Unanswered Question
Jul 16th, 2008
User Badges:

I've a Pix515 ver 7.05 with a vpn client access.

I would to assign the address pool by a radius server. I've tried to confidure on my radius profile the following attribute

cisco-avpair="ip:addr-pool=miopool"

and on pix I've configured

ip local pool miopool 192.168.10.1 - 192.168.10.20


But this configuration doesn't work

The radius sends the attribute to pix but the pix ignores it and assigns to user the pool configured on the tunnel-group's definition.


What have i forget ?

Can you help me?


thank in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
barbara.costant... Wed, 07/16/2008 - 08:09
User Badges:

Thanks for your suggestion, but

the command vpn-addr-assign aaa is the default


The pix seems to ignore the attribute because interprets it as an acl


The error is the following



User: 'pix', Unsupported downloaded ACL Entry: 'ip:addr-pool=mio-pool', Action: 'Ignoring'



It seems a syntax error.



barbara.costant... Thu, 07/17/2008 - 00:37
User Badges:

I've tried to modify the radius attribute from IP to Ipsec but in this case the pix doesn't show any error message, it ignores the attribute.

Thanks

B.

Farrukh Haroon Thu, 07/17/2008 - 01:31
User Badges:
  • Red, 2250 points or more

Is it possible to post debugs here?


Regards


Farrukh

barbara.costant... Thu, 07/17/2008 - 05:27
User Badges:

These files contain the configuration and the debugs.

In the debug's file there are the follow data

- debug radius

- debug aaa authentication

- debug aaa authorization.

thanks b.





Attachment: 
barbara.costant... Thu, 07/17/2008 - 05:35
User Badges:

....... I've tried to upgrade the pix's release from 7.0(7) to 7.2(4) but the behaviour is the same. It doesn't work ;)



barbara.costant... Wed, 07/23/2008 - 01:14
User Badges:

the last update..... I've inserted in the radius on user's profile the "class" attribute with the name of group-policy.

In this way any users have one different group-policy with address-pool and split-acl.

This is the only solution that seems to work fine with the pix.

Thank you for all your replies and suggestions

Barbara

Farrukh Haroon Wed, 07/16/2008 - 05:24
User Badges:
  • Red, 2250 points or more

Did you put the "vpn-addr-assign aaa" commmand?


Regards


Farrukh

barbara.costant... Wed, 07/16/2008 - 23:40
User Badges:


Yes, I put the command, the "vpn-addr-assign aaa is default configuration and pix doesn't insert it in the running-config.

Thanks for all

Barbara

Actions

This Discussion