Showing results for 
Search instead for 
Did you mean: 

Cisco ASA L2TP VPN address pool assignable via RADIUS?


I'm authenticating L2TPoIPSec VPN users using RADIUS without problems.

Rather than using the tunnel-group "address-pool" general-attribute to specify the pool, I would rather have the local pool name pushed by RADIUS.

So far, I haven't had any luck. The ASA assigns using the address-pool statement in the tunnel-group general-attributes. I also tried removing the address-pool statement (in case RADIUS attribute couldn't override), but then the client fails to connect.

Framed-Address works for forcing the IP address and overriding the local pool, but so far I haven't had any luck setting the local pool via RADIUS attributes.

I have tried using Cisco-AVPair "ip:addr-pool=x" with no success.

I've tried just about all other attributes in my dictionary files that mention "pool" as well.

1 Reply 1

You want to use the RADIUS attribute "Framed-Address" and "Framed-Netmask"

I'm researching the latest VPNC3K firmware changed the behavior on usage:

If your F-A was in use, previous it would fall back to an address from the pool, now it just craps itself >:}


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers