Specify local pool from IAS radius for Pix RA vpn?

d_jabsd · ‎05-31-2005

Is it possible for MS IAS radius to assign the local ip pool to use for vpn users in Pix 7.0(1)?

I would like to assing different subnets to each class of vpn user without using separate tunnel-groups and pre-shared-keys.

I've tried a few different avpair combinations, but debug always gives me:

May 31 17:51:02 [IKEv1 DEBUG]: Group = VPN1, Username = testuser, IP = xxx.xxx.xxx.xxx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility

May 31 17:51:02 [IKEv1]: Group = VPN1, Username = testuser, IP = xxx.xxx.xxx.xxx, Cannot obtain an IP address for remote peer

Does anyone know the correct avpair for this, or if it is even possible?

ikoudela · ‎08-10-2005

I also tried to pass some parameters using IAS and other radius servers. I try to pass:

ipsec:save-password=1

Only: Framed-IP-Address=x.x.x.x attribute was successfully processed and enforced.

It seams that Cisco changed avpairs a bit...

Some issues with radius are reported as bugs to TAC and Cisco's suggested to contact TAC to solve these problems....

Logs don't tell much why this aren't working:

....

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 29 (0x1D)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 23 (0x17)

Radius: Value (String) =

69 70 73 65 63 3a 73 61 76 65 2d 70 61 73 73 77 | ipsec:save-passw

6f 72 64 3d 31 | ord=1

rad_procpkt: ACCEPT

RADIUS_ACCESS_ACCEPT: normal termination