IP pool allocation based on NASport IP address

Answered Question
Jul 8th, 2010

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 6 months ago

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

Hi,

Try allocating ip pools under user tab and pool server from there you can select the pools to which user should get the ip address while authenticated.

Hope to help !!

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Ganesh Hariharan Fri, 07/09/2010 - 00:06

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

Hi,

Try allocating ip pools under user tab and pool server from there you can select the pools to which user should get the ip address while authenticated.

Hope to help !!

Ganesh.H

robmillet Mon, 07/12/2010 - 19:13

**EDIT - sry I hit the wrong button - the above does not fix the problem. thanks though.**

--

Hi, that is fine for a single IP pool, but if I have 2 available pools depending on which NAS makes the request I cannot bind the pool to the NAS to the group.

I'll try to illustrate the problem better:

NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0

NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0

Single User1

Single Group1 (User1 cannot be in more than one group)

----

User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly

NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)

USer 1 is seen within Group1 and permitted.

Group1 has both IP_pools available.

Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.

If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.

Ganesh Hariharan Wed, 07/14/2010 - 01:52

**EDIT - sry I hit the wrong button - the above does not fix the problem. thanks though.**

--

Hi, that is fine for a single IP pool, but if I have 2 available pools depending on which NAS makes the request I cannot bind the pool to the NAS to the group.

I'll try to illustrate the problem better:

NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0

NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0

Single User1

Single Group1 (User1 cannot be in more than one group)

----

User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly

NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)

USer 1 is seen within Group1 and permitted.

Group1 has both IP_pools available.

Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.

If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.

Hi Rob,

In Multiple Pool cases the pool at the top of the list would be the first pool of addresses served to users.you cannot change the order that the pools are used in;it is always top to bottom.However,you can change the order of the pools in the list with the up and down buttons.

Hope to Help !!

Ganesh.H

robmillet Wed, 07/14/2010 - 14:47

Hi, yep thats right, but I need to know if you can assign the IP based on the incoming IP that requests it. Or have it confirmed that there is simply no way to do that - then I can stop looking and try for a plan b.

Thanks for your time.

Ganesh Hariharan Fri, 07/16/2010 - 04:31

Hi, yep thats right, but I need to know if you can assign the IP based on the incoming IP that requests it. Or have it confirmed that there is simply no way to do that - then I can stop looking and try for a plan b.

Thanks for your time.

Hi,

As far with my expeirence we have mapped single ip address with user setup,Like satically binded the ip address when ever user authenticate via ACS.

Hope to Help !!

Ganesh.H

robmillet Sat, 07/17/2010 - 20:48

ah right, no probs, I'll look for another way to achieve this. You'd have thought it would be a simple feature.

robmillet Mon, 11/08/2010 - 14:00

the way around the dual NAS port issue is to create one group to point to AD and one to use LDAP. In this way you can have the single username in both groups and avoid the top down authentication problem of having 2 AD groups:

user 1 logs on. Auth request from NAS_port1. Uses Network Access profile(NAP) 1. References AD for group Radius_group_1. Gets put into Group 1. Receives IP address 1

user 1 logs on. Auth request from NAS_port2. Uses Network Access profile(NAP) 2. References LDAP for group Radius_group_2. Gets put into Group 2. Receives IP address 2.

And it works well.

robmillet Tue, 09/06/2011 - 14:44

All reference to AD in this thread should be 'internal windows database'

So the solution was to point at ACS' internal Windows DB and LDAP (not AD and LDAP)

Actions

This Discussion