07-16-2008 02:12 AM - edited 02-21-2020 02:55 AM
I've a Pix515 ver 7.05 with a vpn client access.
I would to assign the address pool by a radius server. I've tried to confidure on my radius profile the following attribute
cisco-avpair="ip:addr-pool=miopool"
and on pix I've configured
ip local pool miopool 192.168.10.1 - 192.168.10.20
But this configuration doesn't work
The radius sends the attribute to pix but the pix ignores it and assigns to user the pool configured on the tunnel-group's definition.
What have i forget ?
Can you help me?
thank in advance
07-16-2008 03:40 AM
07-16-2008 08:09 AM
Thanks for your suggestion, but
the command vpn-addr-assign aaa is the default
The pix seems to ignore the attribute because interprets it as an acl
The error is the following
User: 'pix', Unsupported downloaded ACL Entry: 'ip:addr-pool=mio-pool', Action: 'Ignoring'
It seems a syntax error.
07-16-2008 08:42 AM
Have you tried this instead? (IPSEC instead of IP)?
cisco-avpair="ipsec:addr-pool=miopool"
Have a look at this:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1045279
Regards
Farrukh
07-17-2008 12:37 AM
I've tried to modify the radius attribute from IP to Ipsec but in this case the pix doesn't show any error message, it ignores the attribute.
Thanks
B.
07-17-2008 01:31 AM
Is it possible to post debugs here?
Regards
Farrukh
07-17-2008 05:27 AM
07-17-2008 05:35 AM
....... I've tried to upgrade the pix's release from 7.0(7) to 7.2(4) but the behaviour is the same. It doesn't work ;)
07-23-2008 01:14 AM
the last update..... I've inserted in the radius on user's profile the "class" attribute with the name of group-policy.
In this way any users have one different group-policy with address-pool and split-acl.
This is the only solution that seems to work fine with the pix.
Thank you for all your replies and suggestions
Barbara
07-16-2008 05:24 AM
Did you put the "vpn-addr-assign aaa" commmand?
Regards
Farrukh
07-16-2008 11:40 PM
Yes, I put the command, the "vpn-addr-assign aaa is default configuration and pix doesn't insert it in the running-config.
Thanks for all
Barbara
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide