ACS / C1220 APs / VPN 3000 Conc: IP addr allocation for VPN but notfor 802.1X possible?

Discussion in 'Cisco' started by Walter Steiner, Jul 19, 2005.

  1. The following sketch shows the configuration used in one of our
    departments. Except for a "problem" with IP address assignment
    everything seems okay.

    +--------------------------------------------+
    |WLAN: several SSID/VLANs: 802.1X, open, ... |
    +--------------------------------------------+
    |
    C1200-APs
    |
    (dot1x ports -)/ Catalysts - freeradius-daemons -
    Internet | |
    VPN Conc. - ACS-3.3

    WLAN users might use the 802.1X WLAN SSID or the open SSID with VLAN
    to authenticate and connect to the Internet. VPN users might also
    connect to the local network from the Internet.

    The ACS authenticates 802.1X users and VPN users as well.
    (freeradius solves problems with VLAN assignments of external/proxied
    users in 802.1X but I do need the ACS for Active Directory passwords)

    * 802.1X users get IP information by DHCP (including IP addr)

    * VPN users can't use DHCP (at least I was not satisfied / did not
    work as needed even with Network Scope). Anyhow,
    - users are assigned to concentrator groups
    - group specific ACL need to be applied
    I have not yet decided to go for the concentrator or for ACS in
    order to apply the ACLs
    - some groups have to share the same IP address pool

    I would like to use ACS IP pools. The VPN 3000 Concentrator does not
    allow overlapping IP address pools but we do not have so many free
    address pools.

    So far so good. Unfortunately, ACS now allocates IP addresses not only
    for VPN users but also for the 802.1X users (or ACS denies authen., if
    there are no free addresses left).

    Is it possible to don't let ACS assign IP addresses to the 802.1X users?
    ... or the other way around: only use IP pools for the VPN NAS?

    I did not find a way for the Cisco 1220 APs to do not let them "ask for"
    IP-addresses at first either (if RADIUS is able to support this).

    If it is possible, maybe somebody knows some fancy settings for free-
    radius to solve the problem?,-)

    I'm wondering if I have to implement the following:

    - do not let ACS use IP pools at all
    - send VPN 3000 specific RADIUS attributs to let the Concentrator
    allocate an IP address out of pools defined locally on the Conc.
    (Maybe I use several very small pools)

    I would be happy to get hints or comments (pro or con)

    Thanks in advanced, ws
     
    Walter Steiner, Jul 19, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.