07-12-2010 07:19 PM - edited 03-10-2019 05:15 PM
Hi,
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).
Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.
There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.
I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
Has anybody come across the problem before? Is there simply no way to do it (surely not)?
---
To illustrate the problem better:
NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0
NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0
Single User1
Single Group1 (User1 cannot be in more than one group)
----
User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly
NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)
USer 1 is seen within Group1 and permitted.
Group1 has both IP_pools available.
Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.
If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.
07-29-2010 01:42 AM
Hi,
I havent worked on ACS. But to allocate address based on nas-port, you can probably try authenticating the user based on nas-port and have the per-user attributes downloaded for the same. Probably you can download Framed-IP-Address if its only a single user or even download the Pool name using vsa's.Wouldnt that work?
Regards,
Praveen Kumar , M.
11-08-2010 01:58 PM
the way around the dual NAS port issue is to create one group to point to AD and one to use LDAP. In this way you can have the single username in both groups and avoid the top down authentication problem of having 2 AD groups:
user 1 logs on. Auth request from NAS_port1. Uses Network Access profile(NAP) 1. References AD for group Radius_group_1. Gets put into Group 1. Receives IP address 1
user 1 logs on. Auth request from NAS_port2. Uses Network Access profile(NAP) 2. References LDAP for group Radius_group_2. Gets put into Group 2. Receives IP address 2.
And it works well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide