cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
1
Replies

IPSec RA AAA RADIUS and IP Pools

klivesey
Level 1
Level 1

Got a strange one.

When setting up an IPSec RA Profile the IP Pool assigned does not take.

Running 8.4.1 on a 5540.

If I set the authenticaiton method to local the IP Pool is assigned and all is well.  If I then go in and set it to AAA and use my Safeword RADIUS server the IP Pool is bypassed and the client gets assigned a 10.20.0.1 address.   The auth works well I just can understand where the 10.20.0.1 addess is geeting assigned.  Same if I setup the profile to use DCHP.

A packet capture on the RADIUS device does not show any IP assignmets from the server just the user auth.

When disconnecting the ASA produces "IPAA: Freeing AAA address 10.20.0.1" Freeing AAA address?

Any ideas?

Ken...

1 Reply 1

Todd Pula
Level 7
Level 7

The ASA follows an order-of-operations when it comes to address assignment.  AAA will be checked first followed by DHCP and then defaulting to local.  You can fine tune what types of addressing is supported on the ASA using the "vpn-addr-assign" command.  If all you want to support is local pools, you could add the following to your config:

no vpn-addr-assign aaa

no vpn-addr-assign dhcp