IP address allocation based on NAS port

Similar Messages

• IP pool allocation based on NASport IP address

  Hi,
  using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
  When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).
  Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.
  There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
  I have gone around and around with NAFs and NARs, but cannot do this.
  I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
  I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
  Has anybody come across the problem before? Is there simply no way to do it (surely not)?

  **EDIT - sry I hit the wrong
  button - the above does not fix the problem. thanks though.**
  Hi,
  that is fine for a single IP pool, but if I have 2 available pools
  depending on which NAS makes the request I cannot bind the pool to the
  NAS to the group.
  I'll try to illustrate the problem better:
  NAS_port1 -
  10.1.1.1 uses only IP_pool1 - 10.10.10.0
  NAS_port2 - 10.2.2.2 uses
  only IP_pool2 - 10.20.20.0
  Single User1
  Single Group1 (User1 cannot be
  in more than one group)
  User 1 turns on device and connects to either
  NAS_port1 or NAS_port2 randomly
  NAS_port1 makes the call to the
  ACS (on this occassion, it could have been #2)
  USer 1 is seen
  within Group1 and permitted.
  Group1 has both IP_pools available.
  Which IP
  address does User1 get? Always the first pool until it is exhausted,
  regardless of NAS port making the request.
  If NAS_port2 makes request but gets
  IP from IP_pool1 then the User1 will have the wrong IP address and so
  connectivity will not work.
  Hi Rob,
  In Multiple Pool cases the pool at the top of the list would be the first pool of addresses served to users.you cannot change the order that the pools are used in;it is always top to bottom.However,you can change the order of the pools in the list with the up and down buttons.
  Hope to Help !!
  Ganesh.H

• NAS-PORT

  Hi,
  We have a problem with the format of the Nas-Port generation an Async Interface.
  The format is different if the call arrive on the async interface or isdn interface.
  the Nas-port is different :
  1. for isdn:
  NAS-Port [5] 6 20128
  Cisco AVpair [1] 30 "interface=Async128*Serial1:0"
  NAS-Port-Type [61] 6 ISDN-Async-V110 [4]
  2. for Analogic:
  NAS-Port [5] 6 130
  Cisco AVpair [1] 30 "interface=Async130*Serial1:0"
  NAS-Port-Type [61] 6 Async [0]
  The problem is that the range of IP-ADDRESS that our radius server allocate for the client depends from the Nas port Value and if this is not calculated in the same way we have duplicate IP address.
  We need an attribute defined uniquely to base our IP and to avoid their duplication. Is Cisco-Nas-port unique?
  In attach you will find more explain.
  Thanks
  Ira

  Every subscriber in a mobile network is uniquely identified by a mobile station ISDN or public switched telephone network (PSTN) number. The ISDN Type of Number to RADIUS Server feature provides information about the calling party for billing purposes. (Before the ISDN Type of Number to RADIUS Server feature was introduced, there was no way to derive the TON informationfrom either the caller identification [CLID] or other attributes.)
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7a79.html#35710

• Setting Forward Lookup Zones in DNS based on the port queried

  I have the following problem.
  We are using Dynamic DNS to access our site and the modem/router differentiates via port forwarding what server the query goes to based on the port number ie all request go to abc.dyndns.org:port number.
  Based on the port eg. port 3389 goes to server1 (192.168.0.1), port 8080 goes to server 2(192.168.0.2), port 80 goes to server 3 (192.168.0.3). This all works well if you are entering from OUTSIDE the local network.
  INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
  How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of  abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
  come into play?

  As I said before, DNS doesn't do this. DNS has nothing to do with ports resolution. It's purely a name to IP or IP to name resolution. THAT'S IT!
  But you can port translate each individual port from the WAN IP to different IPs  internally. I thought I said that earlier? Maybe I wasn't clear. I apologize for not fully explaining it, for I thought you understood that part.
  Revisiting the bottom of your original post:
  INSIDE the local network, I have setup a Forward Lookup Zone on a Domain server using DNS where the Host A resolves abc.dyndns.org to the local IP address of server 1 (192.168.0.1). This works fine.
  How do I get the abc.dyndns.org:other ports to go to the other servers IP addresses as you can only setup one Host A record of  abc.dyndns.org to one address 192.168.0.1, if someone queries from INSIDE the local network as the modem/router does not
  come into play?
  You still have to specify the port internally. Assuming mail.domain.com is server4 (since you didn't specify that port in your original post), you simply create a mail.domain.com zone and give it a blank IP for (making this up) 192.168.0.3, then type in
  the same exact thing you would do from the outside:
  http://mail.domain.com:8083/folder  
  Like I said, it's in the application. DNS just resolve to an IP. There are 65,536 port numbers, and DNS does not deal with resolving any of them. That's the responsibility of the application or service and the client (such as a browser) connecting to
  it.
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• RV220W - Wrong NAS Port-Type using RADIUS for 802.11

  Hi everyone
  I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
  The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
  All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
  This is what the request from the RV220W looks like on the server:
  And this is a request from a similar Zyxel Router:
  How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
  Thank you for your support!

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• PPPoE circuit-id tag processing with NAS-port-ID feature in 7200VXR problem

  We faced the following problem when we configured both vendor-tag circuit-id service and radius-server attribute nas-port format d command in our 7200VXR.
  When finishing configuration we did a debug radius and received the "AAA Unsupported Attr: circuit-id-tag". Circuit-id-tag as you can see in the sniffer traces has a format of access-node-identifier atm slot/module/port/vpi/vci.
  However we never got this value as a NAS-Port-Id in our debug radius command. Instead we received in specific NAS-Port-Id the format Access-Node-Identifier eth slot/subslot/port:vlan tag (? I guess so).
  The above described situation occurs when we run 12.2(31)SB2 IOS version. However we received different (probably better) results when we run on the router 12.3(7)XI7a IOS version. In this latter case as you can see in the debug radius output log the NAS-Port-Id field is filled with the correct circuit-id-tag : 10.112.0.227 atm 1/6:8.35.
  Shall we try another configuration than the nas-port format d command for radius?
  Thanks in advance for any answer provided.
  Kind Regards
  Dimitris Elefsiniotis

  Hello,
  thank you for your prompt response.
  You can find additional information in the attached files (BRAS show tech/run, sniffer traces, debug radius commands in BRAS).
  We are talking for normal sessions and as you can easily track yourself the NAS-Port-Id is different than the circuit-id-tag inserted by access device (DSLAM)(IOS 12.2(31)SB2. However, the DHCP snooping is used in aggregation 7600 router and option 82 is set by DSLAM as well.

• Port_based address Allocation

  hi,
  Can Port_based address Allocation is possible in cisco switch if possible kindly tell the switch model or any cisco / third party software reqiure.
  pls help......

  Hi All,We have a Cisco 897VAG-LTE and a 867VAE-K9.We need to enable DHCP on the router and assign an IP address to fa0/1 using the configuration below. A mac address reservation will not work as we will be swapping out the embedded device when repairs are required.Our supplier is using a C897VAMG-LTE-GA-K9 with c800-universalk9-mz.SPA.154-3.M1 software. They say the configuration is not working on their test router.At what level of IOS is this command supported; IPBase, Universal, Adv Ip Services? Cisco white papers do not specify this.How best do I approach this situation?Textip dhcp use subscriber-id client-idip dhcp subscriber-id interface-nameip dhcp excluded-address 10.36.1.1 10.36.1.20!ip dhcp pool DHCP-POOL network 10.36.1.0 255.255.255.0 default-router 10.36.1.254 reserved-only address 10.36.1.253 client-id "Fa0/1" ascii
  This topic first appeared in the Spiceworks Community

• Run allocation based on condition matched

  Hi SAP friends,
  I need to run allocation based on condition matched, is it possible with IIF or another statement?
  the logical view is below (syntax is wrong):
  *RUNALLOCATION
  IIF(BAS(ACCOUNT_01)<>0,
  *FACTOR = USING/TOTAL
  *DIM ACCOUNT WHAT = ACCOUNT_52; WHERE=BAS(ACCOUNT_01); Using=BAS(ACCOUNT_01); TOTAL=BAS(ACCOUNT_01)
  *FACTOR = 1
  *DIM ACCOUNT WHAT = ACCOUNT_52; WHERE=ACCOUNT_10)
  *ENDALLOCATION
  thanks a lot.

  Hi Vadim,
  I am somehow getting doubled values, I have read some articles where when and REC can double values, but my case seems to be something different, do you have an idea?
  the code is below:
  *FOR %MONTH_PLUS% = 0,1,2,3,4,5,6,7,8,9,10,11,12
  *XDIM_MEMBERSET RPTCURRENCY     = LC
  *XDIM_MEMBERSET ENTRYTYPE          = INPUT
  *XDIM_MEMBERSET CLIENTSEG           = NA_CLS, GCIPZ
  *XDIM_MEMBERSET CUSTSEG              = C_INP, P_INP
  *XDIM_MEMBERSET ACCIDENTYEAR    = CAY
  *XDIM_MEMBERSET DISTCH                  = BAS(GI_TOTAL),ALL_OTHER
  *XDIM_MEMBERSET LOB                       = BAS(LOB_GI)
  *XDIM_MEMBERSET PARTNER_RU        = NA_PU
  *XDIM_MEMBERSET ZVIEW                   = MV_PROD,MV_REC
  *XDIM_MEMBERSET TIME                      = TMVL(%MONTH_PLUS%,%TIME_SET%)
  *XDIM_MEMBERSET VERSION               = %VERSION_SET%
  *XDIM_MEMBERSET RU                         = %RU_SET%
  *XDIM_MEMBERSET INSTYPE                = DIR_OWN
  *WHEN INSTYPE
  *IS DIR_OWN
  *REC(EXPRESSION=(([ACCOUNT].[IFRS_69011330_01],[VERSION].[A01],[TIME].[TMVL(%MONTH_PLUS%,$LAST_YEAR$)])==0) ? [ACCOUNT].[STAT_LOSS_52]:[ACCOUNT].[IFRS_69011330_10], ACCOUNT=IFRS_69011330_10)
  *ENDWHEN
  *NEXT
  many thanks, tomas.

• Resman error: VXI A24 address allocation error on bus 0

  When we execute resman.exe on our test system the following error occurs:
  VXI A24 address allocation error on bus 0
  We have the MXI Controller configured the same as other systems and our configuration is a pc and two VXI chassis. Anyone have any ideas on what could cause this error?

  Hi Jim,
  I do not immediately know the solution to the problem you are seeing, but have a few troubleshooting suggestions:
  1. Check the pins on all of your MXI-2 connectors.  If the cable
  has damaged pins which cannot be bent back to place, you will want to
  replace the cable.
  2. Try a single VXI chassis, and then the other.  If the problem
  occurs with each chassis individually, then it is likely an issue with
  the PC or cabling.
  3. If the problem only occurs with one of the chassis in step 2, remove
  all instruments from the chassis and try running resman again.  If
  this solves the problem, add your instruments back one at a time to
  isolate which instrument could be causing problems.
  4. If the problem occurs with both chassis in step 2, do you have another PCI-MXI-2 that you could try?
  Let us know the results of your troubleshooting, and we'll be happy to help you out further.
  Jason S.
  Applications Engineer
  National Instruments

• 802.3x Flowcontrol on NAS Port(s)/LAG

  Hi everyone,
  on my network there are 4 Cisco SG300-10 switches connected to each other via a single uplink port. On one of these switches there is a LAG 802.3ad port configured that provides network access for a QNAP NAS. So far so good.
  My problem is that I keep having connection issues with some Network Media players that don't support gigabit ethernet speed. These fast ethernet clients are connected to the mentioned switches and suffer from connection problems, "hickups" during video stream (via NFS-UDP). Now as this seems to be a known problem with my kind of setup I got the advice to configure the NAS ports (or the LAG in my case) to support 802.3x flowcontrol. But the advisors always assumed that the problematic fast ethernet clients were connected to the same switch as the NAS, but on my network this is not the case.
  So my question is: Do I have to configure 802.3x Flowcontrol just on the NAS ports (LAG), or is it also necessary to configure it on the uplink ports between the switches and on the respective NMP ports in order to work as expected?
  Thanks and best regards

  Dear Christoph,
  Thank you for reaching the Small Business Support Community.
  It's been several days and nobody has answered/commented on your post and therefore I suggest you to inquire about these on a different support channel;
  https://supportforums.cisco.com/community/netpro/small-business/sbcountrysupport
  Thank you for your time and patience and please do not hesitate to reach me back if there is any further assistance I may help you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Nas-port and nas-port-type

  I recently replaced my home 1721 running 12.4(3g) with a demo UC520 running 12.4(11r)XW from work to become more familiar with it. I had my 1721 setup for PPTP dial-in with RADIUS authentication back to an SBS 2008 and everything worked great. When I swapped out for the UC520 with the same AAA settings it would not connect. Further inspection found that the nas-port-type and nas-port aaa attributes were not being passed to the RADIUS server so the VPN Access Policy was not being used. Is this a bug or do I need to tweak a few things for this version of IOS?
  Any tips would be appreciated.
  I recently replaced my home 1721 running 12.4(3g) with a demo UC520 running 12.4(11r)XW from work to get more familiar with it. I had my 1721 setup for PPTP dial-in with RADIUS authentication back to an SBS 2008 and everything worked great. When I swapped out for the 520 with the same AAA settings it would not connect. Further inspection found that the nas-port-type and nas-port aaa attributes were not being passed to the RADIUS server so the VPN Access Policy was not being used. Is this a bug or do I need to tweak a few things for this version of IOS?
  Any tips would be appreciated.

  Make sure that you have configured the ISAKMP policy in UC520.

• Nas port=0

  hi all
  I configured VXR7206 to terminate PPPOE sessions using VPDN GROUP and every thing is ok.
  but when the user get access to VXR7206
  I found the nas port = 0 for each online session ,is it any problem with nas port!!??
  Note: all online sessions have access to the internet,I mean the authentication and acconting are working.

  Unfortunately its not uncommon for VPN servers to either not send the nas-port or stick rubbish in it. Even though it doesnt have real physical ports for every session you would have thought a session id or other value could have been used.

• Getting the Address Information based on the Partner Number & Partner Role

  Hello,
           I have a requirement where in I am populating the Address into a Custom Segment Z1E1ADRM1 where I am reading the Partner Data from E1ADRM1 Segment. It has the PARTNER_Q which contains the Partner Role (WE,AG,RE,RG etc...) and PARTNER_ID which contains the Partner Number. Now, using VBPA Table, I am populating the STREET4 and STREET5 manually by passing the Address Number got from VBPA Read.
          Instead, is there any Function Module / BAPI which can be used to get the Address Number / Address Information based on the Partner Role and Partner Number as Input Parameters? Please Let me know.
  Thanks and Regards,
  Venkat Phani Prasad Konduri

  Try
  /SPE/BUPA                      SPE Business Partners             
  /SPE/BP_STORE_ADDRESSES        Business partners store addresses 
  BPAR_P_PARTNERS_WITH_ADDRESS                                     
  SD_ADDRESS_KEY_GET_FROM_VBPA                                               
  SD_ADDRESS_TYPE_GET                                                        
  SD_PARTNER_ADDR_DIALOG_INTERN                                              
  VELO01_GET_PART_ADDR_FOR_VBELN   get the partners and their address details
  WS_LM_ADDRESS_READ                                                         
  WS_LM_CONTACT_ADDRESS_DISPLAY                                                                               
  ^Saquib

• Multipe mac addresses entries for the same port (FE)-Switch 3560

  Dear All,
  I have a problem with a host whitch is connected to 11 port of my cisco 3560. from time to time the, the connection is lost with the host and after some troubleshooting i see two entries of mac-address table for the port 11.
  I'm asking if someone has an idee how to explain this issue and how to see if this port is participing to SPT or...
  I see also somme error of collision :
  ===================================
  5 minute input rate 1000 bits/sec, 2 packets/sec
    5 minute output rate 7000 bits/sec, 1 packets/sec
       64677029 packets input, 17167881111 bytes, 0 no buffer
       Received 39036768 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 39036088 multicast, 0 pause input
       0 input packets with dribble condition detected
       54722071 packets output, 8588329003 bytes, 0 underruns
       0 output errors, 992 collisions, 1 interface resets
       0 babbles, 2316 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  ======================================
  i have two routers in the same switch: my wan router + un other router used to conneced some separated hosts to internet.
  If i use statif addressing for the second subnet (2 hosts + internet router), is there any risk for collision or broadcast domains or errors ?
  is the second router distrub my LAN or WAN ?
  Manay thanks for your help and support.
  Best regards,

  Hello,
  For the first part of the question, I guess somebody might be connecting a hub to that port. If the hub is not negotiating the speed/duplex with the 3560 switch, then that port will go to half-duplex mode and you will see collisions on the port. That might also explain why you are seeing multiple MAC addresses on that port. Please check the port to see if the hub is connected and remove it. You can use features like port-security to ensure only one MAC address is registered on that port and people are not connecting hubs/dumb switches on that port.
  For the second issue, you can certainly use static IP addresses as long as they are not overlapping with other subnets in your network. If they are overlapping, you do need to configure NAT on the router so that they are not affecting rest of the network.
  Hope this helps.
  Regards,
  NT

• How do I NAT based on destination port while source port can be ANY

  Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
  In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
  Here is a snap shot of the config:
  object service Proxy_HTTP
  service tcp destination eq www
  object service Proxy_HTTPS
  service tcp destination eq https
  nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
  nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
  object network Non_Proxy
  nat (any,outside) dynamic interface
  PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.
  You cannot use NAT Exemption as it cannot be port based
  A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
  I don't see any of the other NAT Types working this way.
  If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

  Karen-
  Results: Did not work. The web based shortcuts did not appear.
  Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
  Here is what was done:
  1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
  2. During setup created the admin account.
  3. Logged into the account a simple start screen was arranged and setup by:
  Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
  educational web based site.
  Right clicked a few provisioned apps and unpinned them from the start screen.
  Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
  4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
  export-startlayout -path C:\Users\Public\Master.xml -as xml
  (Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
  5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
  6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
  7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
  8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
  9. Logged out of the inital account and logged into newly created Alpha account.
  10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.