IP Pool for Ethernet
Groebl, Laurence (Laurence)
laurence.groebl at alcatel-lucent.com
Tue Mar 1 14:59:56 CET 2011
we indeed already tried sending only the Framed-IP-Address in the Access-Accept and it didn't work, the Gateway didn't assign this address to the IPsec client, but a default IP address.
I also didn't understand why the Framed-Pool attribute is a must in the Gateway,
Juniper supports only the following cases (extract from the Screen OS documentation):
Case 1: Framed-Pool attribute and the Framed-IP-Address attribute are both included in the Access-Accept message.
=> The Framed-Pool attribute is always ignored by the RADIUS server unless the framed-IP-Address value is 0xFFFFFFFE (255.255.255.254). Then, the device allocates an address from the Framed-Pool attribute sent by the RADIUS server
Case 2: Framed-Pool attribute and the Framed-IP-Address attribute are both absent from the Access-Accept message.
=> The device does not assign an IP address to the end user.
Case 3: Framed-IP-Address attribute is included in the Access-Accept message and it has a value of 0xFFFFFFFE (255.255.255.254). BUT Framed-Pool attribute is absent.
=> The device allocates an IP address from the default IP address pool that is configured for that virtual system.
Case 4 : The pool sent out in the Framed-Pool attribute is not configured, or it does not have any IP addresses.
An error messages are generated and the negotiation is terminated.
From: freeradius-users-bounces+laurence.groebl=alcatel-lucent.com at lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Dienstag, 1. März 2011 11:56
To: freeradius-users at lists.freeradius.org
Subject: Re: IP Pool for Ethernet
On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote:
> Hello Alan,
> Yes, according to the documentation of the Juniper Gateway, the
> gateway should be able to understand the Radius attribute 8
> "Framed-IP-Address" in the Access-Accept message, but it seems that
> it also need the attribute 88 " Framed-Pool".
That doesn't make sense. You can't send it a specific IP, and an
attribute telling it to pick an IP from a local pool, and expect any
Have you tried just sending the Framed-IP-Address?
Also, your subject line is wrong - this is nothing to do with "Ethernet"
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users