cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
0
Helpful
3
Replies

PIX/IOS VPN with RADIUS-assigned client IP address

mmelbourne
Level 5
Level 5

We have a VPN Concentrator which is configured to authenticate against a

CiscoSecure ACS server. Certain users are assigned static IP addresses, as

defined in CSACS, as this works seamlessly for Cisco VPN 3.x users or direct dial-up users (who log in to a NAS which authenticates against the same CSACS database).

There is a requirement to use a PIX (or an IOS FW+VPN) in another part of our network (The IOS router will require 12.2(8)T to support the Cisco VPN 3.x client). Will the PIX/IOS router recognise the static IP addresses, as defined in CSACS, and issue them to clients, or are client IP addresses always allocated from the pool defined locally on the PIX/IOS router?

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

I just tested this on a router, and I believe the PIX will work the same way.

If you send down a static IP address from the ACS server, it overrides the local pool defined on the router, and the user gets assigned that static IP address. So do it just the same as how you've done it for the VPN3000 users and you should be fine.

I couldn't get it to work with the router IOS 12.2.8T. The address was always assigned out of the pool defined in the router. Could you help providing some specific details?

Thanks

Actually I must apologize for this. What I tested initially was PPP connections to the router, not VPN. What I originally said still stands for PPP connections but not for VPN. With VPN connections the IP address must be assigned out of a local pool. In fact if you don't configure one on the router the VPN client won't connect at all.

Again, my apologies for misreading your original question.