Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP pool allocation based on NASport IP address

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IP pool allocation based on NASport IP address

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

Hi,

Try allocating ip pools under user tab and pool server from there you can select the pools to which user should get the ip address while authenticated.

Hope to help !!

Ganesh.H

8 REPLIES

Re: IP pool allocation based on NASport IP address

Hi,

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:

When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).

Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.

There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'

I have gone around and around with NAFs and NARs, but cannot do this.

I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.

I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

Has anybody come across the problem before? Is there simply no way to do it (surely not)?

Hi,

Try allocating ip pools under user tab and pool server from there you can select the pools to which user should get the ip address while authenticated.

Hope to help !!

Ganesh.H

New Member

Re: IP pool allocation based on NASport IP address

**EDIT - sry I hit the wrong button - the above does not fix the problem. thanks though.**

--

Hi, that is fine for a single IP pool, but if I have 2 available pools depending on which NAS makes the request I cannot bind the pool to the NAS to the group.

I'll try to illustrate the problem better:

NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0

NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0

Single User1

Single Group1 (User1 cannot be in more than one group)

----

User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly

NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)

USer 1 is seen within Group1 and permitted.

Group1 has both IP_pools available.

Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.

If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.

Re: IP pool allocation based on NASport IP address

**EDIT - sry I hit the wrong button - the above does not fix the problem. thanks though.**

--

Hi, that is fine for a single IP pool, but if I have 2 available pools depending on which NAS makes the request I cannot bind the pool to the NAS to the group.

I'll try to illustrate the problem better:

NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0

NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0

Single User1

Single Group1 (User1 cannot be in more than one group)

----

User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly

NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)

USer 1 is seen within Group1 and permitted.

Group1 has both IP_pools available.

Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.

If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.

Hi Rob,

In Multiple Pool cases the pool at the top of the list would be the first pool of addresses served to users.you cannot change the order that the pools are used in;it is always top to bottom.However,you can change the order of the pools in the list with the up and down buttons.

Hope to Help !!

Ganesh.H

New Member

Re: IP pool allocation based on NASport IP address

Hi, yep thats right, but I need to know if you can assign the IP based on the incoming IP that requests it. Or have it confirmed that there is simply no way to do that - then I can stop looking and try for a plan b.

Thanks for your time.

Re: IP pool allocation based on NASport IP address

Hi, yep thats right, but I need to know if you can assign the IP based on the incoming IP that requests it. Or have it confirmed that there is simply no way to do that - then I can stop looking and try for a plan b.

Thanks for your time.

Hi,

As far with my expeirence we have mapped single ip address with user setup,Like satically binded the ip address when ever user authenticate via ACS.

Hope to Help !!

Ganesh.H

New Member

Re: IP pool allocation based on NASport IP address

ah right, no probs, I'll look for another way to achieve this. You'd have thought it would be a simple feature.

New Member

Re: IP pool allocation based on NASport IP address

the way around the dual NAS port issue is to create one group to point to AD and one to use LDAP. In this way you can have the single username in both groups and avoid the top down authentication problem of having 2 AD groups:

user 1 logs on. Auth request from NAS_port1. Uses Network Access profile(NAP) 1. References AD for group Radius_group_1. Gets put into Group 1. Receives IP address 1

user 1 logs on. Auth request from NAS_port2. Uses Network Access profile(NAP) 2. References LDAP for group Radius_group_2. Gets put into Group 2. Receives IP address 2.

And it works well.

New Member

Re: IP pool allocation based on NASport IP address

All reference to AD in this thread should be 'internal windows database'

So the solution was to point at ACS' internal Windows DB and LDAP (not AD and LDAP)

799
Views
5
Helpful
8
Replies