IP Pool for Ethernet

Groebl, Laurence (Laurence) laurence.groebl at alcatel-lucent.com
Tue Mar 1 14:59:56 CET 2011


Hi

we indeed already tried sending only the Framed-IP-Address in the Access-Accept and it didn't work, the Gateway didn't assign this address to the IPsec client, but a default IP address.

I also didn't understand why the Framed-Pool attribute is a must in the Gateway,
Juniper supports only the following cases (extract from the Screen OS documentation):

Case 1:  Framed-Pool attribute and the Framed-IP-Address attribute are both included in the Access-Accept message.
=> The Framed-Pool attribute is always ignored by the RADIUS server unless the  framed-IP-Address value is 0xFFFFFFFE (255.255.255.254). Then, the device allocates an address from the Framed-Pool attribute sent by the RADIUS server

Case 2: Framed-Pool attribute and the Framed-IP-Address attribute are both absent from the Access-Accept message.
=> The device does not assign an IP address to the end user.

Case 3: Framed-IP-Address attribute is included in the Access-Accept message and it has a value of 0xFFFFFFFE (255.255.255.254). BUT Framed-Pool attribute is absent.
=> The device allocates an IP address from the default IP address pool that is configured for that virtual system.

Case 4 : The pool sent out in the Framed-Pool attribute is not configured, or it does not have any IP addresses.
An error messages are generated and the negotiation is terminated.


Best regards,
Laurence

-----Original Message-----
From: freeradius-users-bounces+laurence.groebl=alcatel-lucent.com at lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Dienstag, 1. März 2011 11:56
To: freeradius-users at lists.freeradius.org
Subject: Re: IP Pool for Ethernet

On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote:
> Hello Alan,
>
> Yes, according to the documentation of the Juniper Gateway, the
> gateway should be able to understand the Radius attribute 8
> "Framed-IP-Address" in the Access-Accept message, but it seems that
> it also need the attribute 88 " Framed-Pool".

That doesn't make sense. You can't send it a specific IP, and an 
attribute telling it to pick an IP from a local pool, and expect any 
sensible behaviour.

Have you tried just sending the Framed-IP-Address?

Also, your subject line is wrong - this is nothing to do with "Ethernet"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list