Choose IP address pool based on username

Discussion in 'Cisco' started by Michael Burkey, Oct 16, 2003.

  1. I have a Cisco 3640, IOS 12.2. I am using local aaa suthentication
    for our dial-up users that connect to an ISDN PRI. I'd like to know if
    it is possible to, based on the username, choose different pools of
    IPs.

    Thanks,

    Michael
    Michael Burkey, Oct 16, 2003
    #1
    1. Advertising

  2. On 16 Oct 2003 10:53:18 -0700, (Michael Burkey) wrote:

    ~ I have a Cisco 3640, IOS 12.2. I am using local aaa suthentication
    ~ for our dial-up users that connect to an ISDN PRI. I'd like to know if
    ~ it is possible to, based on the username, choose different pools of
    ~ IPs.
    ~
    ~ Thanks,
    ~
    ~ Michael

    You can do it with dialer profiles; the downside is that
    you would have to configure a separate dialer profile for
    each user. E.g.

    int serial 0:23
    ppp authen pap chap callin
    dialer pool-member 1
    int dialer 1
    ppp authen pap chap callin
    dialer pool 1
    dialer remote-name USER1
    peer default ip address pool GROUP1
    int dialer 2
    dialer remote-name USER2
    peer default ip address pool GROUP2

    As an optimization, you could have the most
    numerous group of users not bind to dialer
    profiles, but instead use virtual profiles:

    virtual-profile virtual-template 1
    interface virtual-template 1
    ppp authen pap chap callin
    peer default ip address pool GROUP1

    The users who need to use other address
    pools would get per-user dialer profiles.

    Aaron
    Aaron Leonard, Oct 17, 2003
    #2
    1. Advertising

  3. Aaron,

    Maybe this information would help. I did enable the Virtual Profiles,
    but the Dialer Profiles doesn't seem to be in effect.

    SHOW VER:

    Cisco Internetwork Operating System Software
    IOS (tm) 3600 Software (C3640-IK8O3S-M), Version 12.2(2)T, RELEASE
    SOFTWARE (fc1)
    TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
    Copyright (c) 1986-2001 by cisco Systems, Inc.
    Compiled Sat 02-Jun-01 20:26 by ccai
    Image text-base: 0x600089A8, data-base: 0x614B8000

    ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE
    SOFTWARE (fc1)
    ROM: 3600 Software (C3640-IK8O3S-M), Version 12.2(2)T, RELEASE
    SOFTWARE (fc1)

    BSDROUTER uptime is 2 weeks, 5 hours, 59 minutes
    System returned to ROM by reload at 15:01:12 UTC Mon Oct 6 2003
    System image file is "flash:c3640-ik8o3s-mz.122-2.T.bin"

    cisco 3640 (R4700) processor (revision 0x00) with 59392K/6144K bytes
    of memory.
    Processor board ID 19277400
    R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
    MICA-6DM Firmware: CP ver 2730 - 5/23/2001, SP ver 2730 - 5/23/2001.
    Bridging software.
    X.25 software, Version 3.0.0.
    SuperLAT software (copyright 1990 by Meridian Technology Corp).
    Primary Rate ISDN software, Version 1.1.
    1 FastEthernet/IEEE 802.3 interface(s)
    49 Serial network interface(s)
    48 terminal line(s)
    2 Channelized T1/PRI port(s)
    DRAM configuration is 64 bits wide with parity disabled.
    125K bytes of non-volatile configuration memory.
    16384K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board PCMCIA Slot0 flash (Read/Write)

    Configuration register is 0x2102


    SHOW RUN:

    version 12.2
    no parser cache
    no service single-slot-reload-enable
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname XXXXXXXXXXX
    !
    no logging buffered
    logging rate-limit console 10 except errors
    no logging console
    logging monitor notifications
    aaa new-model
    aaa authentication login default local-case
    aaa authentication ppp default local
    enable secret 5 XXXXXXXXXXX
    !
    username mburkey password 7 XXXXXXXXXXXXXXX
    !
    !
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    no ip domain-lookup
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 120
    ip ssh authentication-retries 3
    no ip dhcp-client network-discovery
    virtual-profile virtual-template 1
    virtual-profile aaa
    !
    class-map match-any http-hacks
    match protocol http url "*root.exe*"
    match protocol http url "*default.ida*"
    match protocol http url "*x.ida*"
    match protocol http url "*cmd.exe*"
    match protocol http url "*_vti_bin*"
    match protocol http url "*_mem_bin*"
    match protocol http mime "*readme.exe*"
    match protocol http mime "*readme.eml*"
    match protocol http url "*popup*"
    match protocol http url "*popunder*"
    !
    !
    policy-map drop-inbound-http-hacks
    class http-hacks
    set ip dscp 1
    !
    async-bootp gateway XXX.XXX.XXX.XXX
    !
    isdn switch-type primary-dms100
    isdn voice-call-failure 0
    modemcap entry gary:MSC=&F&D2S34=18000S40=10S54=172S53=1
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    controller T1 0/0
    framing esf
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 0/1
    framing esf
    linecode b8zs
    pri-group timeslots 1-24
    !
    !
    !
    interface Tunnel1
    no ip address
    !
    interface Serial0/0:23
    ip unnumbered FastEthernet3/0.100
    encapsulation ppp
    dialer pool-member 1
    isdn switch-type primary-dms100
    isdn incoming-voice modem
    no peer default ip address
    fair-queue 64 256 0
    no cdp enable
    ppp authentication chap
    ppp multilink
    !
    interface Serial0/1:23
    ip unnumbered FastEthernet3/0.100
    encapsulation ppp
    dialer pool-member 1
    isdn switch-type primary-dms100
    isdn incoming-voice modem
    no peer default ip address
    fair-queue 64 256 0
    no cdp enable
    ppp authentication chap
    ppp multilink
    !
    interface FastEthernet3/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3/0.1
    encapsulation dot1Q 10
    ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    !
    interface FastEthernet3/0.100
    encapsulation dot1Q 100
    ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    !
    interface Serial3/0
    no ip address
    encapsulation frame-relay
    ip route-cache flow
    no ip mroute-cache
    no fair-queue
    service-module t1 timeslots 1-24
    frame-relay lmi-type ansi
    !
    interface Serial3/0.16 point-to-point
    ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    no ip mroute-cache
    ip policy route-map null_policy_route
    service-policy input drop-inbound-http-hacks
    frame-relay interface-dlci 16
    !
    interface Serial3/0.100 point-to-point
    ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    no ip mroute-cache
    frame-relay interface-dlci 100 IETF
    !
    interface Serial3/0.101 point-to-point
    ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    no ip mroute-cache
    frame-relay interface-dlci 101
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet3/0.100
    peer default ip address pool GROUP1
    ppp authentication chap
    ppp multilink
    !
    interface Group-Async1
    no ip address
    ip access-group 150 out
    encapsulation ppp
    no ip mroute-cache
    async mode interactive
    no peer default ip address
    ppp authentication chap
    group-range 33 56
    !
    interface Group-Async2
    no ip address
    ip access-group 150 out
    encapsulation ppp
    no ip mroute-cache
    async mode interactive
    no peer default ip address
    ppp authentication chap
    group-range 65 88
    !
    interface Dialer1
    ip unnumbered FastEthernet3/0.1
    encapsulation ppp
    peer default ip address pool GROUP2
    no cdp enable
    ppp authentication chap
    ppp multilink
    !
    ip local pool GROUP1 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ip local pool GROUP2 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ip classless
    ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    !
    route-map null_policy_route permit 10
    match ip address 106
    set interface Null0
    !
    dial-peer cor custom
    !
    line 33 56
    modem Dialin
    modem autoconfigure type gary
    autoselect during-login
    autoselect ppp
    line 65 88
    modem Dialin
    modem autoconfigure type gary
    autoselect during-login
    autoselect ppp
    !
    ntp clock-period 17179705
    ntp server XXX.XXX.XXX.XXX
    !
    end


    Aaron Leonard <> wrote in message news:<>...
    > On 16 Oct 2003 10:53:18 -0700, (Michael Burkey) wrote:
    >
    > ~ I have a Cisco 3640, IOS 12.2. I am using local aaa suthentication
    > ~ for our dial-up users that connect to an ISDN PRI. I'd like to know if
    > ~ it is possible to, based on the username, choose different pools of
    > ~ IPs.
    > ~
    > ~ Thanks,
    > ~
    > ~ Michael
    >
    > You can do it with dialer profiles; the downside is that
    > you would have to configure a separate dialer profile for
    > each user. E.g.
    >
    > int serial 0:23
    > ppp authen pap chap callin
    > dialer pool-member 1
    > int dialer 1
    > ppp authen pap chap callin
    > dialer pool 1
    > dialer remote-name USER1
    > peer default ip address pool GROUP1
    > int dialer 2
    > dialer remote-name USER2
    > peer default ip address pool GROUP2
    >
    > As an optimization, you could have the most
    > numerous group of users not bind to dialer
    > profiles, but instead use virtual profiles:
    >
    > virtual-profile virtual-template 1
    > interface virtual-template 1
    > ppp authen pap chap callin
    > peer default ip address pool GROUP1
    >
    > The users who need to use other address
    > pools would get per-user dialer profiles.
    >
    > Aaron
    Michael Burkey, Oct 20, 2003
    #3
  4. You need "dialer pool <n>" under your dialer profiles.

    By the way, I should note an oddity here. If a physical
    interface is a pool-member of a pool which is used by
    exactly one dialer profile, then ALL calls will bind to
    that dialer profile (and not to a virtual profile.) So
    if you want to have multiple concurrent calls from different
    clients use a given dialer pool, then you should have at least
    two dialer profiles using that pool.

    Aaron

    ---

    ~ Aaron,
    ~
    ~ Maybe this information would help. I did enable the Virtual Profiles,
    ~ but the Dialer Profiles doesn't seem to be in effect.
    ~
    ~ SHOW VER:
    ~
    ~ Cisco Internetwork Operating System Software
    ~ IOS (tm) 3600 Software (C3640-IK8O3S-M), Version 12.2(2)T, RELEASE
    ~ SOFTWARE (fc1)
    ~ TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
    ~ Copyright (c) 1986-2001 by cisco Systems, Inc.
    ~ Compiled Sat 02-Jun-01 20:26 by ccai
    ~ Image text-base: 0x600089A8, data-base: 0x614B8000
    ~
    ~ ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE
    ~ SOFTWARE (fc1)
    ~ ROM: 3600 Software (C3640-IK8O3S-M), Version 12.2(2)T, RELEASE
    ~ SOFTWARE (fc1)
    ~
    ~ BSDROUTER uptime is 2 weeks, 5 hours, 59 minutes
    ~ System returned to ROM by reload at 15:01:12 UTC Mon Oct 6 2003
    ~ System image file is "flash:c3640-ik8o3s-mz.122-2.T.bin"
    ~
    ~ cisco 3640 (R4700) processor (revision 0x00) with 59392K/6144K bytes
    ~ of memory.
    ~ Processor board ID 19277400
    ~ R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
    ~ MICA-6DM Firmware: CP ver 2730 - 5/23/2001, SP ver 2730 - 5/23/2001.
    ~ Bridging software.
    ~ X.25 software, Version 3.0.0.
    ~ SuperLAT software (copyright 1990 by Meridian Technology Corp).
    ~ Primary Rate ISDN software, Version 1.1.
    ~ 1 FastEthernet/IEEE 802.3 interface(s)
    ~ 49 Serial network interface(s)
    ~ 48 terminal line(s)
    ~ 2 Channelized T1/PRI port(s)
    ~ DRAM configuration is 64 bits wide with parity disabled.
    ~ 125K bytes of non-volatile configuration memory.
    ~ 16384K bytes of processor board System flash (Read/Write)
    ~ 2048K bytes of processor board PCMCIA Slot0 flash (Read/Write)
    ~
    ~ Configuration register is 0x2102
    ~
    ~
    ~ SHOW RUN:
    ~
    ~ version 12.2
    ~ no parser cache
    ~ no service single-slot-reload-enable
    ~ service timestamps debug datetime msec
    ~ service timestamps log datetime msec
    ~ service password-encryption
    ~ !
    ~ hostname XXXXXXXXXXX
    ~ !
    ~ no logging buffered
    ~ logging rate-limit console 10 except errors
    ~ no logging console
    ~ logging monitor notifications
    ~ aaa new-model
    ~ aaa authentication login default local-case
    ~ aaa authentication ppp default local
    ~ enable secret 5 XXXXXXXXXXX
    ~ !
    ~ username mburkey password 7 XXXXXXXXXXXXXXX
    ~ !
    ~ !
    ~ ip subnet-zero
    ~ no ip source-route
    ~ ip cef
    ~ !
    ~ !
    ~ no ip domain-lookup
    ~ ip name-server XXX.XXX.XXX.XXX
    ~ ip name-server XXX.XXX.XXX.XXX
    ~ !
    ~ ip audit notify log
    ~ ip audit po max-events 100
    ~ ip ssh time-out 120
    ~ ip ssh authentication-retries 3
    ~ no ip dhcp-client network-discovery
    ~ virtual-profile virtual-template 1
    ~ virtual-profile aaa
    ~ !
    ~ class-map match-any http-hacks
    ~ match protocol http url "*root.exe*"
    ~ match protocol http url "*default.ida*"
    ~ match protocol http url "*x.ida*"
    ~ match protocol http url "*cmd.exe*"
    ~ match protocol http url "*_vti_bin*"
    ~ match protocol http url "*_mem_bin*"
    ~ match protocol http mime "*readme.exe*"
    ~ match protocol http mime "*readme.eml*"
    ~ match protocol http url "*popup*"
    ~ match protocol http url "*popunder*"
    ~ !
    ~ !
    ~ policy-map drop-inbound-http-hacks
    ~ class http-hacks
    ~ set ip dscp 1
    ~ !
    ~ async-bootp gateway XXX.XXX.XXX.XXX
    ~ !
    ~ isdn switch-type primary-dms100
    ~ isdn voice-call-failure 0
    ~ modemcap entry gary:MSC=&F&D2S34=18000S40=10S54=172S53=1
    ~ call rsvp-sync
    ~ !
    ~ !
    ~ !
    ~ !
    ~ !
    ~ !
    ~ !
    ~ controller T1 0/0
    ~ framing esf
    ~ linecode b8zs
    ~ pri-group timeslots 1-24
    ~ !
    ~ controller T1 0/1
    ~ framing esf
    ~ linecode b8zs
    ~ pri-group timeslots 1-24
    ~ !
    ~ !
    ~ !
    ~ interface Tunnel1
    ~ no ip address
    ~ !
    ~ interface Serial0/0:23
    ~ ip unnumbered FastEthernet3/0.100
    ~ encapsulation ppp
    ~ dialer pool-member 1
    ~ isdn switch-type primary-dms100
    ~ isdn incoming-voice modem
    ~ no peer default ip address
    ~ fair-queue 64 256 0
    ~ no cdp enable
    ~ ppp authentication chap
    ~ ppp multilink
    ~ !
    ~ interface Serial0/1:23
    ~ ip unnumbered FastEthernet3/0.100
    ~ encapsulation ppp
    ~ dialer pool-member 1
    ~ isdn switch-type primary-dms100
    ~ isdn incoming-voice modem
    ~ no peer default ip address
    ~ fair-queue 64 256 0
    ~ no cdp enable
    ~ ppp authentication chap
    ~ ppp multilink
    ~ !
    ~ interface FastEthernet3/0
    ~ no ip address
    ~ duplex auto
    ~ speed auto
    ~ !
    ~ interface FastEthernet3/0.1
    ~ encapsulation dot1Q 10
    ~ ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ !
    ~ interface FastEthernet3/0.100
    ~ encapsulation dot1Q 100
    ~ ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ !
    ~ interface Serial3/0
    ~ no ip address
    ~ encapsulation frame-relay
    ~ ip route-cache flow
    ~ no ip mroute-cache
    ~ no fair-queue
    ~ service-module t1 timeslots 1-24
    ~ frame-relay lmi-type ansi
    ~ !
    ~ interface Serial3/0.16 point-to-point
    ~ ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ no ip mroute-cache
    ~ ip policy route-map null_policy_route
    ~ service-policy input drop-inbound-http-hacks
    ~ frame-relay interface-dlci 16
    ~ !
    ~ interface Serial3/0.100 point-to-point
    ~ ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ no ip mroute-cache
    ~ frame-relay interface-dlci 100 IETF
    ~ !
    ~ interface Serial3/0.101 point-to-point
    ~ ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ no ip mroute-cache
    ~ frame-relay interface-dlci 101
    ~ !
    ~ interface Virtual-Template1
    ~ ip unnumbered FastEthernet3/0.100
    ~ peer default ip address pool GROUP1
    ~ ppp authentication chap
    ~ ppp multilink
    ~ !
    ~ interface Group-Async1
    ~ no ip address
    ~ ip access-group 150 out
    ~ encapsulation ppp
    ~ no ip mroute-cache
    ~ async mode interactive
    ~ no peer default ip address
    ~ ppp authentication chap
    ~ group-range 33 56
    ~ !
    ~ interface Group-Async2
    ~ no ip address
    ~ ip access-group 150 out
    ~ encapsulation ppp
    ~ no ip mroute-cache
    ~ async mode interactive
    ~ no peer default ip address
    ~ ppp authentication chap
    ~ group-range 65 88
    ~ !
    ~ interface Dialer1
    ~ ip unnumbered FastEthernet3/0.1
    ~ encapsulation ppp
    ~ peer default ip address pool GROUP2
    ~ no cdp enable
    ~ ppp authentication chap
    ~ ppp multilink
    ~ !
    ~ ip local pool GROUP1 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ ip local pool GROUP2 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ ip classless
    ~ ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ ip route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
    ~ !
    ~ route-map null_policy_route permit 10
    ~ match ip address 106
    ~ set interface Null0
    ~ !
    ~ dial-peer cor custom
    ~ !
    ~ line 33 56
    ~ modem Dialin
    ~ modem autoconfigure type gary
    ~ autoselect during-login
    ~ autoselect ppp
    ~ line 65 88
    ~ modem Dialin
    ~ modem autoconfigure type gary
    ~ autoselect during-login
    ~ autoselect ppp
    ~ !
    ~ ntp clock-period 17179705
    ~ ntp server XXX.XXX.XXX.XXX
    ~ !
    ~ end
    ~
    ~
    ~ Aaron Leonard <> wrote in message news:<>...
    ~ > On 16 Oct 2003 10:53:18 -0700, (Michael Burkey) wrote:
    ~ >
    ~ > ~ I have a Cisco 3640, IOS 12.2. I am using local aaa suthentication
    ~ > ~ for our dial-up users that connect to an ISDN PRI. I'd like to know if
    ~ > ~ it is possible to, based on the username, choose different pools of
    ~ > ~ IPs.
    ~ > ~
    ~ > ~ Thanks,
    ~ > ~
    ~ > ~ Michael
    ~ >
    ~ > You can do it with dialer profiles; the downside is that
    ~ > you would have to configure a separate dialer profile for
    ~ > each user. E.g.
    ~ >
    ~ > int serial 0:23
    ~ > ppp authen pap chap callin
    ~ > dialer pool-member 1
    ~ > int dialer 1
    ~ > ppp authen pap chap callin
    ~ > dialer pool 1
    ~ > dialer remote-name USER1
    ~ > peer default ip address pool GROUP1
    ~ > int dialer 2
    ~ > dialer remote-name USER2
    ~ > peer default ip address pool GROUP2
    ~ >
    ~ > As an optimization, you could have the most
    ~ > numerous group of users not bind to dialer
    ~ > profiles, but instead use virtual profiles:
    ~ >
    ~ > virtual-profile virtual-template 1
    ~ > interface virtual-template 1
    ~ > ppp authen pap chap callin
    ~ > peer default ip address pool GROUP1
    ~ >
    ~ > The users who need to use other address
    ~ > pools would get per-user dialer profiles.
    ~ >
    ~ > Aaron
    Aaron Leonard, Oct 27, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Mason Jr
    Replies:
    0
    Views:
    474
    John Mason Jr
    Jan 24, 2006
  2. Walter Roberson
    Replies:
    1
    Views:
    447
    John Mason Jr
    Jan 25, 2006
  3. The Reluctant Robot Named Jude

    Change the username found in "C:\Documents and Settings\Username"

    The Reluctant Robot Named Jude, May 5, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    12,649
    Rifleman
    May 5, 2004
  4. eostrike
    Replies:
    3
    Views:
    2,034
    eostrike
    Oct 24, 2008
  5. tom
    Replies:
    0
    Views:
    907
Loading...

Share This Page