cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1536
Views
0
Helpful
10
Replies

Pix 515: address pool assigned by radius

I've a Pix515 ver 7.05 with a vpn client access.

I would to assign the address pool by a radius server. I've tried to confidure on my radius profile the following attribute

cisco-avpair="ip:addr-pool=miopool"

and on pix I've configured

ip local pool miopool 192.168.10.1 - 192.168.10.20

But this configuration doesn't work

The radius sends the attribute to pix but the pix ignores it and assigns to user the pool configured on the tunnel-group's definition.

What have i forget ?

Can you help me?

thank in advance

10 Replies 10

Thanks for your suggestion, but

the command vpn-addr-assign aaa is the default

The pix seems to ignore the attribute because interprets it as an acl

The error is the following

User: 'pix', Unsupported downloaded ACL Entry: 'ip:addr-pool=mio-pool', Action: 'Ignoring'

It seems a syntax error.

Have you tried this instead? (IPSEC instead of IP)?

cisco-avpair="ipsec:addr-pool=miopool"

Have a look at this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1045279

Regards

Farrukh

I've tried to modify the radius attribute from IP to Ipsec but in this case the pix doesn't show any error message, it ignores the attribute.

Thanks

B.

Is it possible to post debugs here?

Regards

Farrukh

These files contain the configuration and the debugs.

In the debug's file there are the follow data

- debug radius

- debug aaa authentication

- debug aaa authorization.

thanks b.

....... I've tried to upgrade the pix's release from 7.0(7) to 7.2(4) but the behaviour is the same. It doesn't work ;)

the last update..... I've inserted in the radius on user's profile the "class" attribute with the name of group-policy.

In this way any users have one different group-policy with address-pool and split-acl.

This is the only solution that seems to work fine with the pix.

Thank you for all your replies and suggestions

Barbara

Farrukh Haroon
VIP Alumni
VIP Alumni

Did you put the "vpn-addr-assign aaa" commmand?

Regards

Farrukh

Yes, I put the command, the "vpn-addr-assign aaa is default configuration and pix doesn't insert it in the running-config.

Thanks for all

Barbara

Review Cisco Networking for a $25 gift card