09-30-2002 04:52 AM - edited 03-02-2019 01:43 AM
I have strange problem with Cisco Secure ACS 3.0
I created group and for dialin users. I need to assign them IP addresses from a pool (created on NAS). Under Group IP assignment I selected "Assigned from AAA client pool". And under user "IP address assignment" optins, I selected option "Use Group settings". Therefore, all users belonging to that group should be assigned address from local pool.
But when user from that group tries to connect I get strange error.
"Mismatch in addr and addr-pool attributes".
When I debug I see strange thing (Framed-IP-Address that shouldn't be there):
07:10:18: RADIUS: Cisco AVpair [1] 26 "ip:addr-pool=router_pool"
07:10:18: RADIUS: Service-Type [6] 6 Framed [2]
07:10:18: RADIUS: Framed-Protocol [7] 6 PPP [1]
07:10:18: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
07:10:18: RADIUS: Received from id F
07:10:18: Se0 PPP/AAA: Check Attr: addr-pool
07:10:18: Se0 PPP/AAA: Check Attr: service-type
07:10:18: Se0 PPP/AAA: Check Attr: Framed-Protocol
07:10:18: Se0 PPP/AAA: Check Attr: addr07:10:18: Se0 AAA/AUTHOR/IPCP: Says use pool router_pool
07:10:18: Se0 AAA/AUTHOR/IPCP: Pool returned 195.11.22.30
07:10:18: Se0 AAA/AUTHOR/IPCP: Processing AV addr-pool
07:10:18: Se0 AAA/AUTHOR/IPCP: Processing AV addr
07:10:18: % AAA/AUTHOR/IPCP Se0: Attributes addr and addr-pool are mutually exclusive
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
07:10:18: Se0 AAA/AUTHOR/IPCP: Authorization denied
When I manually create Cisco AV pair for assigning IP address from pool (in the way I used it on Livingston radius):
Cisco AV pair:
ip:addr-pool=router_pool
then it works. Debug is not the same (there is no Framed-IP-Address) and no conflict between attributes.
03:04:43: RADIUS: Cisco AVpair [1] 26 "ip:addr-pool=router_pool"
03:04:43: RADIUS: Service-Type [6] 6 Framed [2]
03:04:43: RADIUS: Framed-Protocol [7] 6 PPP [1]
03:04:43: Se0 PPP: Received LOGIN Response from AAA = PASS
03:04:43: Se0 PPP/AAA: Check Attr: addr-pool
03:04:43: Se0 PPP/AAA: Check Attr: service-type
03:04:43: Se0 PPP/AAA: Check Attr: Framed-Protocol
What is wrong in the first scenario ?
Cisco ACS is ver. 3.0, and IOS is 12.2.11.
thanks,
Jura
10-04-2002 10:29 AM
Sounds like it could be an IOS problem. I would try doing a search in Cisco's bug toolkit for "Attributes addr and addr-pool are mutually exclusive".
10-05-2002 02:36 AM
You are apsolutely right. I found exactly that bug in Bug Toolkit. But unfortunately seems that all 12.1 and 12.2 IOS versions are affected so I don't have much choice right now (bug is being watched).
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide