Configuring Ip Pool In Freeradius?
Nov 27, 2012How do we setup ip pools in freeradius?
View 1 Replies
ADVERTISEMENT
Cisco Switching/Routing :: Configuring DHCP Pool For Voice Vlan On 2921 Router?
Feb 12, 2013I am configuring DHCP pool for voice vlan on cisco 2921 router.
Here is the setup.
2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
Router Config
ip dhcp excluded-address 10.146.54.1 10.146.89.50
!
ip dhcp pool VoiceVlan
network 10.146.54.0 255.255.255.0
subnet prefix-length 24
dns-server 10.144.68.32 10.144.68.33
option 150 ip 10.146.68.36
default-router 10.146.54.1
netbios-name-server 10.144.68.32 10.144.68.33
netbios-node-type h-node
[code]....
Cisco :: 2106 WLC And Freeradius Session-timeout
Jun 20, 2011We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
Cisco Wireless :: WET200 FreeRadius EAP-TLS Authentication?
Feb 29, 2012I have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:
1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.
2. Used the client certificate import password as the "Private Key Password"
3. Typed in the client "Login Name"
The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read [URL]
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?
Cisco :: 4402 - WCS User Names Sometimes Incorrect With 802.1x FreeRadius
Feb 29, 2012I'm not sure if this is a recent issue for our setup, but I've only just noticed it. Although most authenticated users are shown by their correct user names (which are required for 802.1x authentication), a few users show up in the WCS reports as "anonymous", and one as "anonymous@myabc.com", which are not valid usernames on our network.
I can track these users by MAC via our network registration database, but have not yet figured what makes their systems unique. All three in yesterday's report are Win 7. I don't see anything strange in the RADIUS logs, but have not yet caputured "debug" traces of wireless authentication from an anonymous user.
We are running WCS 7.0.172.0 , with a pair of WLC 4402 controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP, with the SecureW2 supplicant for Windows.
Cisco AAA / Identity / Nac :: 1310 Bridges - FreeRadius Authentication Error
Mar 2, 2011I have two 1310 bridges. one configured as root and the other as non-root. Authentication Settings: Open with EAP and Network EAP with no addition. Set up: when non-root bridge tries to associate with root bridge, root bridge checks with radius server if it's ok to associate with the non-root bridge.
I can see communication with the radius server (I'm using FreeRadius) and the radius server even sends a SUCCESS back to the root bridge. However I'm seeing this error on the non-root bridge: DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL and the bridges do not authenticate.
Cisco Firewall :: ASA 8.4 No Nat Of Vpn Pool
Jul 17, 2012I am using a range of IPs from my inside LAN for my IPSec VPN clients. For example my inside network is 172.16.1.0/24 and I have a pool setup like this: ip local pool vpnpool 172.16.1.200-172.16.1.210 mask 255.255.255.0.
Before the upgrade to 8.4 it was working and now it isn't. Clients can connect and pickup and IP but can't cominuicate with the inside LAN. I think I have to do manual NAT to nonat this range. So I want to try the following:
object network obj-vpnpool range 172.16.1.200 172.16.1.210 nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
However there are two things preventing me from doing this:
1) When I try to create obj-vpnpool I get an error stating that this object overlaps with local pool
2) Even if I create the obj-vpnpool with a non-overlapping range, when in the VPN config I don't have an option for selecting obj-vpnpool.
Cisco :: Possible To Use DHCP Pool To Assign IP
Feb 27, 2013ON ASA, I understand that we can assign a static IP for a specific VPN client, or we can use a DHCP pool to assign IP. Now if I want to create DHCP pools, say pool_A and pool_B, for user A, B and C they use the IP from Pool_A, and user D, E, and F they get the IP from pool_B. Is there a way to do this in ASA?
View 4 Replies View RelatedCisco VPN :: ASA 8.2 - ACS 5.2 With Dynamic VPN IP Pool Assignment?
Aug 7, 2011I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
View 1 Replies View RelatedCisco LAN :: 3560 - Add Second / Sub DHCP Pool?
Jul 25, 2012We have the configuration below set up in a 3560 switch (addresses and names modified for privacy). We are running out of dynamic IP’s in the current pool (6.35.159.0 – 6.35.159.255). We have a new set of IP’s that we can use (6.44.56.0 – 6.44.57.255 – an additional 512 addresses). Although I can figure out the commands to add a new dhcp pool, secondary subnet, etc., I’ve never done this before so I’m not sure of everything I need to do. The end result I need is that the 3560 needs to be able to hand out IP addresses from the current and new pool to anything connecting to vlan 300 – our datanet where computers access the Internet. What I need to do as far as modifying the vlan, adding the secondary subnet, defining helper IP’s, gateways, whatever, so that computers connecting via vlan 300 have Internet access via either of the pools? I have been told that all I need to do is create the pool, but not sure if that is correct...
[code]....
Cisco VPN :: ASA 5505 / VPN IP Local Pool?
Jan 5, 2012We are testing the upgrade from version 8.2 to 8.4 on an ASA 5505 and ran into a problem. For VPN connections we had pools created. A few of the pools were limited to a single IP address. After the upgrade the ASA rejects the pools that only had one IP address instead of a range. In the command line if you enter a question mark after typing in "ip local pool (pool keyword)" in config mode it says "Specify an IP address or a range of IP addresses:start[-end]" with the word "or" it sounds like it should except a single IP address but it doesn't. The error is "Please enter a valid IP address range."
View 5 Replies View RelatedCisco AAA/Identity/Nac :: Ip Address Pool In ACS 5.3?
Sep 30, 2012Is it possible to create an ip address pool for ip address assignment in ACS 5.3, like it used to be possible in 3.x and 4.x?
View 2 Replies View RelatedCisco :: Remote Access VPN DHCP Pool?
Oct 3, 2012I am configuring IPSec Remote Access VPN on a ASA 5505. There are one external interface and one internal interface configured on the device. Internal interface connected to subnet 192.168.1.0/24.en VPN client get connected, I would like to assign the IP from some subnet(for example 192.168.2.0/24) other than the current internel subnet (192.168.1.0/24), but the VPN client can still access to 192.168.1.0/24. Is there a way to do this?
View 2 Replies View RelatedCisco Wireless :: WLC 5500 / Ip Pool Allocation
Nov 19, 2012We have a WLC 5500 connected to a 2960 acting as core switch. there is a server attached to the switch , bearing all dhcp pools for lan and wireless users. Can the wlc or the switch be configured in such a way that the wireless users associating to the wlc get their ip addresses from the dhcp pool configured on the server. Can the configuration can be shared for such a setup.
View 5 Replies View RelatedCisco Application :: 4710 ACE NAT Pool On Different Network
Nov 27, 2012Can the Nat Pool be on a different network that the load balanced vip? My current design uses nat pool on the same network, but the archatect wants the NATs on seperate VLAN.I will be developing on ACE MOD20, but the final configuration will be on 4710.
View 3 Replies View RelatedCisco Firewall :: Assign Secondary ISP-2 Pool IP To DMZ Server?
May 15, 2011Can we assign Secondary ISP-2 Pool IP to DMZ Server, network design attached for reference.
View 2 Replies View RelatedCisco Security :: 3745 - VPN - Reserving Pool Addresses?
Dec 11, 2012I have created a PPTP VPN on a cisco 3745 router, and a pool of addresses for the VPN clients. Now i want to find a way to reserve the addresses in the pool for specific machines, for example, if machine A connects to the VPN it should always be given the IP address a.a.a.a and that address should never be assigned to any other machine even if machine A is not connected to the VPN.
View 1 Replies View RelatedCisco Application :: Show Active Mac Pool On ACE20?
Oct 26, 2011I would like to add a vlan to a second context on a pair of redundant ACE modules. As soon as I open up that shared vlan box we will expose ourselves to mac conflicts until the shared-vlan-hostid commands can be implemented and the module reloaded. Adding the commands is not a big deal but I may not be able to schedule a reload until next week. What I would like to do is confirm the mac pools in use by each module right now. My hope is that they grabbed unique pools when they last booted and a conflict will not be a concern now.
View 3 Replies View RelatedCisco Firewall :: To Get IP Addressed From VPN Pool Randomly ASA5510
Apr 18, 2012I’m using a cisco 5510 ASA at the head office and all the branches (32) connect to the head office via cisco VPN client(Remote access VPN), as per the configuration branches used to get ip addresses from the VPN pool randomly. Now, my requirement is I need that each branch should get the same ip address every time when the VPN is established. Is this feasible?
View 3 Replies View RelatedCisco WAN :: Can't Change Dialer Pool (2821 Version 12.4(13r)T)
Aug 28, 2012To do this I’ve created another Dialer and re-assigned the atm interface (atm0/0/0) to it. Then I’ve done a shut and then a no shut a min or two later. To my surprise the debug ppp negotiation showed the user name from Dialer1 and then the line was back in my multi link bundle.
My relevant Config is below:
interface ATM0/0/0
no ip address
[Code]......
Cisco Firewall :: Assign Same VPN Pool IP To Client / ASA 5505-v8.4(2)
Sep 16, 2011Is there any way to always assign the same IP address to an AnyConnect VPN client logged into an ASA 5505 running v8.4?2
View 2 Replies View RelatedCisco Wireless :: AP Get IP From 6509 But Client Cannot Get DHCP From Pool
May 30, 2012My AP get IP from 6509, but client cannot get dhcp from my dhcp pool for client, what is the reason?i have 3750g switch with integrated WLC, i connect it to 6509 I did all configs yesterday here is outputs
WLC
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
ap-manager LAG 10 172.16.10.100 Static Yes No
globus LAG 20 172.16.20.254 Dynamic No No
management LAG 10 172.16.10.99 Static No No
service-port N/A N/A 0.0.0.0 Static No No
[code].....
Cisco Switching/Routing :: Does IOS 12.4 Basic Have (IP NAT Pool) Command Available
Sep 23, 2012Cisco IOS 12.4 Basic check to see if the command "ip nat pool" is available?We have 12.2 basic and I know it is in the 12.4 Advanced and 15.1 Basic versions (too large of a jump in version for management). Our budget is very limited so I am hoping that 12.4 Basic has this command.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: VSA 218 - Configure IP Pool Selection By RADIUS On ACS 5-3-0-40-7?
Feb 18, 2013I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool
(something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?
Cisco VPN :: ASA5520 Remote Access VPN Pool Migration?
Nov 29, 2012best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
Cisco VPN :: 5510 Remote Vpn Users Having Address From Pool 2
Apr 5, 2011can i have 2 pools each with diifferent subnet [code] i wanna put restricution on remote vpn users having address from pool-2,and just give them access to 172.16.10.0/24,is it possible on the asa 5510?
View 7 Replies View RelatedCisco VPN :: 5510 Sync Timeout Traffic From VPN Pool
Sep 10, 2012My VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) severs connects and the logs shows a sync timeout. [code]
View 8 Replies View RelatedCisco :: 5510 - Static NAT Required But Outside Pool Already Exhausted
Mar 10, 2012I got a project where I have to provide NATTED addresses to customers for the internal servers and I found out that the outside address range /27 already in use. We are using 5510 with ver 8.1. We cant use PAT here. Any other option to accomplish this task.
View 1 Replies View RelatedCisco VPN :: Remote Access Address Pool ASA 5510
Mar 17, 2013Is the following sysntax correct in removing a remote access vpn address pool and inserting a new one on an ASA5510?
(config)# NO ip local pool BWCVPN 192.168.200.1-192.168.200.128
(config)# ip local pool BWCVPN 192.168.300.1-192.168.300.128
(confif)# tunnel-group BWCVPN ciscovpn general-attributes
(config-general)# address-pool BWCVPN
Linksys Wireless Router :: Connecting Pool Controller To WRT54G?
Sep 30, 2012I am trying to connect a Zodiac iAqualink wireless pool equipment controller to my home network (WRT54G) without success. This is a 802.11b device. My router is set to mixed mode. What I have tried:
1. Set it up as suggested in the instructions: WEP2 security, double checked SSID and password
2. Set it up without wireless security
3. Changed channels
4. Set mode to 802.11b
In all cases the LED on the iAqualink that is supposed to indicate that it is connected to the network illuminates properly, but I can never find the device using EasyLink Advisor.
Cisco AAA/Identity/Nac :: Invoke IP POOL Defined On VPN 3000 To ACS5.3?
Aug 27, 2012I configured an ip pool on VPN 3000 concetnrator. i wanted to an attribute to use on the nework access profile on the acs 5.3. i was advised to use pool name. However, we don't have pool name attribute on VPN concentrator. only, IP range and subnet mask. how do i refer an IP pool on VPN concentrator in ACS5.3? is there another attribute I can use on ACS5.3 to invoke a pool on CVPN3000, like ip range...?
View 2 Replies View RelatedCisco Firewall :: Multiple DHCP Pool Configuration On ASA 5505
Oct 4, 2012I want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
ASA 5505 IOS version: 8.3(1)
License: Security Plus
Cisco AAA/Identity/Nac :: ACS 4.2 - IP Pool Allocation Based On NAS Port IP Address
Jul 7, 2010using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.