We have 2 NASs, in two cities. Currently the IP pool is configured on the NASs for Group-async1.
We want to be able to apply access-lists per user groups. We are planning to create various IP pools on the ACS and assigned it the relevant user groups and then remove the IP pool from the NAS.
This would work if the remote users would not travel between the cities, however they need to travel and hence some time the assigned IP address for a particular remote user could be in one city and other times in the other city. We also have another user-group (3rd_party) that do not need to travel and always come in through one of the NASs.
Is there a way to solve this problem and achieve our aim? I thought we could define the various IP-pools on the NASs and then reference it in the user-groups setting on the ACS. This would work for various "3rd_party" groups but would not for the remote users who travel between the cities. I came across this command
aaa configuration config-username <name >
I think this command will solve my problem. i.e. for various remote users that do not travel between sites I can create a number of user groups and assign various IP-pools to them in the ACS configuration. Then for users that do travel between sites (majority), I would again create relevant user groups on ACS but this time will not assign any IP-pools to them. Then with the help of aaa configuration config-username <name> command on the NAS and its counterpart on ACS they will get assign relevant IP addresses.
What do you think?