Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Pix 515: address pool assigned by radius

I've a Pix515 ver 7.05 with a vpn client access.

I would to assign the address pool by a radius server. I've tried to confidure on my radius profile the following attribute

cisco-avpair="ip:addr-pool=miopool"

and on pix I've configured

ip local pool miopool 192.168.10.1 - 192.168.10.20

But this configuration doesn't work

The radius sends the attribute to pix but the pix ignores it and assigns to user the pool configured on the tunnel-group's definition.

What have i forget ?

Can you help me?

thank in advance

10 REPLIES

Re: Pix 515: address pool assigned by radius

Re: Pix 515: address pool assigned by radius

Thanks for your suggestion, but

the command vpn-addr-assign aaa is the default

The pix seems to ignore the attribute because interprets it as an acl

The error is the following

User: 'pix', Unsupported downloaded ACL Entry: 'ip:addr-pool=mio-pool', Action: 'Ignoring'

It seems a syntax error.

Re: Pix 515: address pool assigned by radius

Have you tried this instead? (IPSEC instead of IP)?

cisco-avpair="ipsec:addr-pool=miopool"

Have a look at this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1045279

Regards

Farrukh

Re: Pix 515: address pool assigned by radius

I've tried to modify the radius attribute from IP to Ipsec but in this case the pix doesn't show any error message, it ignores the attribute.

Thanks

B.

Re: Pix 515: address pool assigned by radius

Is it possible to post debugs here?

Regards

Farrukh

Re: Pix 515: address pool assigned by radius

These files contain the configuration and the debugs.

In the debug's file there are the follow data

- debug radius

- debug aaa authentication

- debug aaa authorization.

thanks b.

Re: Pix 515: address pool assigned by radius

....... I've tried to upgrade the pix's release from 7.0(7) to 7.2(4) but the behaviour is the same. It doesn't work ;)

Re: Pix 515: address pool assigned by radius

the last update..... I've inserted in the radius on user's profile the "class" attribute with the name of group-policy.

In this way any users have one different group-policy with address-pool and split-acl.

This is the only solution that seems to work fine with the pix.

Thank you for all your replies and suggestions

Barbara

Re: Pix 515: address pool assigned by radius

Did you put the "vpn-addr-assign aaa" commmand?

Regards

Farrukh

Re: Pix 515: address pool assigned by radius

Yes, I put the command, the "vpn-addr-assign aaa is default configuration and pix doesn't insert it in the running-config.

Thanks for all

Barbara

347
Views
0
Helpful
10
Replies