1. Home
  2. Cisco Systems
  3. ACS / C1220 APs / VPN 3000 Conc: IP addr allocation for VPN but notfor 802.1X possible?

ACS / C1220 APs / VPN 3000 Conc: IP addr allocation for VPN but notfor 802.1X possible?

The following sketch shows the configuration used in one of our departments. Except for a "problem" with IP address assignment everything seems okay.

+--------------------------------------------+ |WLAN: several SSID/VLANs: 802.1X, open, ... | +--------------------------------------------+ | C1200-APs | (dot1x ports -)/ Catalysts - freeradius-daemons - Internet | | VPN Conc. - ACS-3.3

WLAN users might use the 802.1X WLAN SSID or the open SSID with VLAN to authenticate and connect to the Internet. VPN users might also connect to the local network from the Internet.

The ACS authenticates 802.1X users and VPN users as well. (freeradius solves problems with VLAN assignments of external/proxied users in 802.1X but I do need the ACS for Active Directory passwords)

  • 802.1X users get IP information by DHCP (including IP addr)

  • VPN users can't use DHCP (at least I was not satisfied / did not work as needed even with Network Scope). Anyhow, - users are assigned to concentrator groups - group specific ACL need to be applied I have not yet decided to go for the concentrator or for ACS in order to apply the ACLs - some groups have to share the same IP address pool

I would like to use ACS IP pools. The VPN 3000 Concentrator does not allow overlapping IP address pools but we do not have so many free address pools.

So far so good. Unfortunately, ACS now allocates IP addresses not only for VPN users but also for the 802.1X users (or ACS denies authen., if there are no free addresses left).

Is it possible to don't let ACS assign IP addresses to the 802.1X users? ... or the other way around: only use IP pools for the VPN NAS?

I did not find a way for the Cisco 1220 APs to do not let them "ask for" IP-addresses at first either (if RADIUS is able to support this).

If it is possible, maybe somebody knows some fancy settings for free- radius to solve the problem?,-)

I'm wondering if I have to implement the following:

- do not let ACS use IP pools at all

- send VPN 3000 specific RADIUS attributs to let the Concentrator allocate an IP address out of pools defined locally on the Conc. (Maybe I use several very small pools)

I would be happy to get hints or comments (pro or con)

Thanks in advanced, ws

Reply to
Walter Steiner
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.