Configuring Ip Pool In Freeradius?
Nov 27, 2012How do we setup ip pools in freeradius?
View 1 RepliesHow do we setup ip pools in freeradius?
View 1 RepliesI am configuring DHCP pool for voice vlan on cisco 2921 router.
Here is the setup.
2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
Router Config
ip dhcp excluded-address 10.146.54.1 10.146.89.50
!
ip dhcp pool VoiceVlan
network 10.146.54.0 255.255.255.0
subnet prefix-length 24
dns-server 10.144.68.32 10.144.68.33
option 150 ip 10.146.68.36
default-router 10.146.54.1
netbios-name-server 10.144.68.32 10.144.68.33
netbios-node-type h-node
[code]....
We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
I have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:
1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.
2. Used the client certificate import password as the "Private Key Password"
3. Typed in the client "Login Name"
The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read [URL]
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?
I'm not sure if this is a recent issue for our setup, but I've only just noticed it. Although most authenticated users are shown by their correct user names (which are required for 802.1x authentication), a few users show up in the WCS reports as "anonymous", and one as "anonymous@myabc.com", which are not valid usernames on our network.
I can track these users by MAC via our network registration database, but have not yet figured what makes their systems unique. All three in yesterday's report are Win 7. I don't see anything strange in the RADIUS logs, but have not yet caputured "debug" traces of wireless authentication from an anonymous user.
We are running WCS 7.0.172.0 , with a pair of WLC 4402 controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP, with the SecureW2 supplicant for Windows.
I have two 1310 bridges. one configured as root and the other as non-root. Authentication Settings: Open with EAP and Network EAP with no addition. Set up: when non-root bridge tries to associate with root bridge, root bridge checks with radius server if it's ok to associate with the non-root bridge.
I can see communication with the radius server (I'm using FreeRadius) and the radius server even sends a SUCCESS back to the root bridge. However I'm seeing this error on the non-root bridge: DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL and the bridges do not authenticate.
I am using a range of IPs from my inside LAN for my IPSec VPN clients. For example my inside network is 172.16.1.0/24 and I have a pool setup like this: ip local pool vpnpool 172.16.1.200-172.16.1.210 mask 255.255.255.0.
Before the upgrade to 8.4 it was working and now it isn't. Clients can connect and pickup and IP but can't cominuicate with the inside LAN. I think I have to do manual NAT to nonat this range. So I want to try the following:
object network obj-vpnpool range 172.16.1.200 172.16.1.210 nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
However there are two things preventing me from doing this:
1) When I try to create obj-vpnpool I get an error stating that this object overlaps with local pool
2) Even if I create the obj-vpnpool with a non-overlapping range, when in the VPN config I don't have an option for selecting obj-vpnpool.
ON ASA, I understand that we can assign a static IP for a specific VPN client, or we can use a DHCP pool to assign IP. Now if I want to create DHCP pools, say pool_A and pool_B, for user A, B and C they use the IP from Pool_A, and user D, E, and F they get the IP from pool_B. Is there a way to do this in ASA?
View 4 Replies View RelatedI have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
View 1 Replies View RelatedWe have the configuration below set up in a 3560 switch (addresses and names modified for privacy). We are running out of dynamic IP’s in the current pool (6.35.159.0 – 6.35.159.255). We have a new set of IP’s that we can use (6.44.56.0 – 6.44.57.255 – an additional 512 addresses). Although I can figure out the commands to add a new dhcp pool, secondary subnet, etc., I’ve never done this before so I’m not sure of everything I need to do. The end result I need is that the 3560 needs to be able to hand out IP addresses from the current and new pool to anything connecting to vlan 300 – our datanet where computers access the Internet. What I need to do as far as modifying the vlan, adding the secondary subnet, defining helper IP’s, gateways, whatever, so that computers connecting via vlan 300 have Internet access via either of the pools? I have been told that all I need to do is create the pool, but not sure if that is correct...
[code]....
We are testing the upgrade from version 8.2 to 8.4 on an ASA 5505 and ran into a problem. For VPN connections we had pools created. A few of the pools were limited to a single IP address. After the upgrade the ASA rejects the pools that only had one IP address instead of a range. In the command line if you enter a question mark after typing in "ip local pool (pool keyword)" in config mode it says "Specify an IP address or a range of IP addresses:start[-end]" with the word "or" it sounds like it should except a single IP address but it doesn't. The error is "Please enter a valid IP address range."
View 5 Replies View RelatedIs it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?
View 2 Replies View RelatedI am configuring IPSec Remote Access VPN on a ASA 5505. There are one external interface and one internal interface configured on the device. Internal interface connected to subnet 192.168.1.0/24.en VPN client get connected, I would like to assign the IP from some subnet(for example 192.168.2.0/24) other than the current internel subnet (192.168.1.0/24), but the VPN client can still access to 192.168.1.0/24. Is there a way to do this?
View 2 Replies View RelatedWe have a WLC 5500 connected to a 2960 acting as core switch. there is a server attached to the switch , bearing all dhcp pools for lan and wireless users. Can the wlc or the switch be configured in such a way that the wireless users associating to the wlc get their ip addresses from the dhcp pool configured on the server. Can the configuration can be shared for such a setup.
View 5 Replies View RelatedCan the Nat Pool be on a different network that the load balanced vip? My current design uses nat pool on the same network, but the archatect wants the NATs on seperate VLAN.I will be developing on ACE MOD20, but the final configuration will be on 4710.
View 3 Replies View RelatedCan we assign Secondary ISP-2 Pool IP to DMZ Server, network design attached for reference.
View 2 Replies View RelatedI have created a PPTP VPN on a cisco 3745 router, and a pool of addresses for the VPN clients. Now i want to find a way to reserve the addresses in the pool for specific machines, for example, if machine A connects to the VPN it should always be given the IP address a.a.a.a and that address should never be assigned to any other machine even if machine A is not connected to the VPN.
View 1 Replies View RelatedI would like to add a vlan to a second context on a pair of redundant ACE modules. As soon as I open up that shared vlan box we will expose ourselves to mac conflicts until the shared-vlan-hostid commands can be implemented and the module reloaded. Adding the commands is not a big deal but I may not be able to schedule a reload until next week. What I would like to do is confirm the mac pools in use by each module right now. My hope is that they grabbed unique pools when they last booted and a conflict will not be a concern now.
View 3 Replies View RelatedI’m using a cisco 5510 ASA at the head office and all the branches (32) connect to the head office via cisco VPN client(Remote access VPN), as per the configuration branches used to get ip addresses from the VPN pool randomly. Now, my requirement is I need that each branch should get the same ip address every time when the VPN is established. Is this feasible?
View 3 Replies View RelatedTo do this I’ve created another Dialer and re-assigned the atm interface (atm0/0/0) to it. Then I’ve done a shut and then a no shut a min or two later. To my surprise the debug ppp negotiation showed the user name from Dialer1 and then the line was back in my multi link bundle.
My relevant Config is below:
interface ATM0/0/0
no ip address
[Code]......
Is there any way to always assign the same IP address to an AnyConnect VPN client logged into an ASA 5505 running v8.4?2
View 2 Replies View RelatedMy AP get IP from 6509, but client cannot get dhcp from my dhcp pool for client, what is the reason?i have 3750g switch with integrated WLC, i connect it to 6509 I did all configs yesterday here is outputs
WLC
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
ap-manager LAG 10 172.16.10.100 Static Yes No
globus LAG 20 172.16.20.254 Dynamic No No
management LAG 10 172.16.10.99 Static No No
service-port N/A N/A 0.0.0.0 Static No No
[code].....
Cisco IOS 12.4 Basic check to see if the command "ip nat pool" is available?We have 12.2 basic and I know it is in the 12.4 Advanced and 15.1 Basic versions (too large of a jump in version for management). Our budget is very limited so I am hoping that 12.4 Basic has this command.
View 2 Replies View RelatedI'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool
(something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies View RelatedMy VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) severs connects and the logs shows a sync timeout. [code]
View 8 Replies View RelatedI got a project where I have to provide NATTED addresses to customers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here. Any other option to accomplish this task.
View 1 Replies View RelatedIs the following sysntax correct in removing a remote access vpn address pool and inserting a new one on an ASA5510?
(config)# NO ip local pool BWCVPN 192.168.200.1-192.168.200.128
(config)# ip local pool BWCVPN 192.168.300.1-192.168.300.128
(confif)# tunnel-group BWCVPN ciscovpn general-attributes
(config-general)# address-pool BWCVPN
I am trying to connect a Zodiac iAqualink wireless pool equipment controller to my home network (WRT54G) without success. This is a 802.11b device. My router is set to mixed mode. What I have tried:
1. Set it up as suggested in the instructions: WEP2 security, double checked SSID and password
2. Set it up without wireless security
3. Changed channels
4. Set mode to 802.11b
In all cases the LED on the iAqualink that is supposed to indicate that it is connected to the network illuminates properly, but I can never find the device using EasyLink Advisor.
I configured an ip pool on VPN 3000 concetnrator. i wanted to an attribute to use on the nework access profile on the acs 5.3. i was advised to use pool name. However, we don't have pool name attribute on VPN concentrator. only, IP range and subnet mask. how do i refer an IP pool on VPN concentrator in ACS5.3? is there another attribute I can use on ACS5.3 to invoke a pool on CVPN3000, like ip range...?
View 2 Replies View RelatedI want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
ASA 5505 IOS version: 8.3(1)
License: Security Plus
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.