Netmask assignment via ACS

6tschraml · ‎04-16-2004

Is there a way to assign a netmask to a VPN client that connects itself to the network via a VPN concentrator?

The assignment of the IP address is not a problem but we always get a 8-Bit address. That's not what we want. I don't see a menu in ACS where the netmask can be determined. Radius attribute [9] does not work. We use radius and we have defined the IP adresses in an address pool on the ACS server.

Thanks. Thomas.

scoclayton · ‎04-26-2004

Thomas,

There is nothing available that I am aware of to assign a netwmask value. I believe this is actaully a limitation of the concentrator rather than the ACS server. Even if assigning addresses from a pool on the concentrator itself, you do not have the option of assigning the mask (I believe it actually defaults to a 32 bit mask in this case). Most times, the subnet mask is not very important as the concentrator will proxy arp for any devices that are connected to it. Can you elaborate a bit more on why this would be a problem? Are you trying to use an address space within your current network?

Scott

Report Inappropriate Content · ‎05-04-2004

Scott,

I am having a similar problem. We are trying to assign IP addresses from a pool on the concentrator and have a class B range. Within our current network we have VLSM. The client defaults to a 255.255.0.0 subnet mask. I am not sure if this i a problem becasue I am having some problems in connecting the client properly.

Thanks.

6tschraml · ‎05-05-2004

... in fact we don't have problems with reachability. But the fact that the concentrator assigns netmasks and we don't know why and from which resource, makes me nervous.

Thomas

wsherlock · ‎05-05-2004

The reason you are assigned a netmask from the concentrator is that it treats it the same as PPP. The default for this is to issue the default mask for the subnet class. For example 10.0.0.1 will always have the mask 255.0.0.0 and 192.168.0.1 will have the mask 255.255.255.0

Hope this helps.

timpotter · ‎05-05-2004

We have the same problem. In our case, we are trying to assign a 10.203 address to the VPN clients. However, ACS is giving out a /8 subnet mask. This is a problem because it will think the entire 10.0.0.0 address space is local - not to mention other routing problem we will have with other subnets int eh 10.203 range. I don't understand why you can't just assing a specific mask for these IP Pools. Is there a command line option?

wsherlock · ‎05-06-2004

There is not a dynamic way to assign a specific mask. The only way would be to assign static addressess to clients. If you are worried about the routing of a particular subnet then you could use a subnet which as a default has the mask you require. The RAS/VPN device can then route/proxy the connection to any network the client needs to connects too.

gauthraj · ‎07-09-2004

We have the same trouble, ACS gives me a 8bit netmask when I want a 24bit one.

We saw something strange with VPN3000 and Radius : when we configure VPN3000 to give to the client a class C IP, in the VPN client's log, there is the attribute INTERNAL_IPV4_NETMASK with value 255.255.255.0 that is transmit to the client. If we use a class A (or B) IP, this attribute is not sent...

Does someone have an idea about that? And why not a solution to our netmask trouble?

Thank you

gauthraj · ‎07-15-2004

We solved this problem.. You have to upgrade ACS to version 3.3, this allows ACS to send Framed-IP-Netmask attribute to VPN 3000. So you can configure your netmask as you want.

gauthraj · ‎07-15-2004

Sorry for the mystake, it is the VPN3000 software that you have to upgrade to version 4.1.5

ACS doesn't need to be upgrade (for this trouble)