ACS5 - Replacement for IP Pools

Paul Masterton · ‎01-27-2013

All,

I know ACS 5 lacks the IP Pools of earlier ACS versions. I'm looking at a 4 to 5 migration and was thinking of just configuring the IP Pools on the router ("ip pool local" etc) and sending back a RADIUS Cisco Attribute pair with the name of the pool. (Seemed like a neat fix, needs no extra kit, etc.)

I could have sworn that attribute pair existed... but I can't find it in ACS5! What's it's name?! Where is it!? Or have I gone mad!? (And, if I have gone mad, how would you go about fixing it?)

Cheers!

Karsten Iwen · ‎01-27-2013

For the ASA it's the Attribute 217 "Address-Pools":

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1802187

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amjad Abdullah · ‎01-27-2013

Hi Paul,

There are two attributs regarding the pools:

217 cisco-ip-pool-definition

218 cisco-assign-ip-pool

Those are configurable in ACS 5.x from ACS GUI:

Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles.

You create the authorization profile then from the "Radius Attributes" tab you choose the directory type = "RADIUS-Cisco".

Then if you press on the "select" button beside "RADIUS Attribute" field it will list you all the cisco attributes where 217 and 218 are included.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

codewize · ‎12-12-2013

So then how do we define the pools? There's a lot of discussion regarding this topic. I'm not exactlly sure why Ciso thought it was a good idea to remove this feature but I know there's a workaround.

The workaround I saw was to use pre defined pools from another device such as a router. That's fine but whats the ACS config to do that?

Someone has to know the answer to this.