Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4164
Views
0
Helpful
4
Replies

Cisco-assign-ip-pool RADIUS VSA is an integer?

Alex Kitaichik
Level 1
Level 1

‎02-19-2013 04:47 AM - edited ‎03-10-2019 08:06 PM

Hi all,

I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.

So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.

As far as I can remember, we used to put pool *names* within ip:addr-pool (something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").

So how should we configure the values for this attribute in ACS 5?

Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-19-2013 05:15 AM

If your NAS is "RADIUS (Cisco IOS/PIX)" it will use a Cisco-AVPair attribute with "ip:addr-pool=poolname" inside it.

If your NAS is just about any other RADIUS type, it will use attribute 88, Framed-Pool.

Use the dictionary Radius-Cisco and then select cisco av-pair in the radius authorization profile.

After that configure:

ip:addr-pool=poolname

The pool should be defined on the device itself like ASA. The ACS will only push the name of it.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Alex Kitaichik
Level 1
Level 1
In response to Jatin Katyal

‎02-19-2013 05:24 AM

Hi jkatyal,

Thank you for your reply. The problem with ACS 5-3-0-40-7 is that VSA 218 (e.g. ip:addr-pool) is pre-configured to be integer. Hence, i can't put there "ip:addr-pool=poolname" or anything similar for that matter. ACS (based on the pre-configured type, I guess), accepts digits only.

That's the question. How can it be an integer.

Thank you.

0 Helpful

jrabinow
Level 7
Level 7

‎02-19-2013 05:15 AM

I have checked and you can change the type of this attribute

However, you first need to make sure it is not in use in any authorization profile

To change the type go to:

System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > Cisco

and can then edit the type of the attribute with id of 218

I am not familiar with the specifics of this attribute and whether should change the default definitions here and so wil be interesting to see how things progress

0 Helpful

Alex Kitaichik
Level 1
Level 1
In response to jrabinow

‎02-19-2013 05:30 AM

Hi jrabinow,

I suspected an error within the directory but i'd like it to be fixed for everybody (in case the VSA IS pre-configured wrong) and I prefer not to change such values based on my understanding of the RFC

Additionally, I'm having a hard time finding a documentation on the syntax I should use - should I put there the pool name, ip:addr-pool=poolname, some other syntax.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents