|
Home > Archive > Radius Server > October 2004 > Provide a pool ip from IAS to Radius Clients
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Provide a pool ip from IAS to Radius Clients
|
|
| Luyper Silveira 2004-10-15, 9:25 pm |
| Dear,
I have a IAS server (Windows 2003 server) installed in my
company and a have an external radius client connecting
with it. I need to provide to the radius client some
attributes and, one of them, is the ip address. My
question is, Am I able to provide just one ip address? I
tried to do it to get an ip from the RRAs installed in
the same server but I receive the message Error:
691:Access was denied because the username and/or
password was invalid on the domain.
I made the following sets:
1 - I have an RRAs service with a pool address installed
and working well in the same server that is running IAS.
2 - I added the radius client.
3 - I created a Connection Request Policie and I added
the attribute Framed-IP-Address with the value
255.255.255.254 (beside the other atributes needes)to get
an ip from server.
4 - I created a Remote Access Policie and, in the Profile
properties' IP tab, when I choose the option Assign a
static IP address (and define an IP static), everything
works well and I'm able to establish the connection, but,
when I choose the option Server must supply an ip
address, I'm not able to establish the connection and the
message above is displayed.
When I look at the IAS log, everything seems Ok, see
below:
LINE1:
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
DCMTZA,6,2,4,192.168.15.1,61,0,7,1,30,2121,31,2138657722,7
7,50666 31200
V.90,5,5,4108,192.168.15.1,4116,0,4128,Embratel Client
Radius,4155,1,25,311 1 172.16.1.29 10/08/2004 15:35:15
80,4130,sotreq.net/98Matriz/Informatica/Luyper
Silveira,4127,1,4129,SOTREQ\luyper,4136,
1,4142,0
LINE2:
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
DCMTZA,25,311 1 172.16.1.29 10/08/2004 15:35:15
80,4130,sotreq.net/98Matriz/Informatica/Luyper
Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,
192.168.15.1,4116,0,4128,Embratel Client
Radius,4155,1,4154,Embratel Connection
Request,8,255.255.255.254,7,1,28,300,6,2,27,600,4129,SOTRE
Q\luyper,4127,1,4149,Embratel Remote Access,4136,2,4142,0
My question is: Can I provide an Ip to a Radius Client
from IAS using an Ip address from a RRAs's pool?
thanks.
| |
| Sam Salhi [MSFT] 2004-10-15, 9:25 pm |
| IAS doesn't provide clients with IP Addresses, "Radius Clients" are
infrastructure devices or RRAS. These should have a static IP assigned to
them by the network administrator
Now if you have a client connecting TO this client (RAS Client or Wireless
client connecting TO your client then you can assign give that client a
specific IP address. It would be the job of the NAS to enforce this)
To send back an IP address when a specific user connects to your NAS, simply
add that IP in AD. (Open AD users and computers, find your user, Edit
properties, Dial-In tab, select "Assign static IP Address" and fill the
address)
Alternatively, you can do this also from the IAS Remote Access policy in the
profile set it under IP Address Assignment. (You may also do it through the
advanced tab)
HTH
--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====
"Luyper Silveira" <luyper@sotreq.com.br> wrote in message
news:052001c4b135$63f23fe0$a401280a@phx.gbl...
> Dear,
>
> I have a IAS server (Windows 2003 server) installed in my
> company and a have an external radius client connecting
> with it. I need to provide to the radius client some
> attributes and, one of them, is the ip address. My
> question is, Am I able to provide just one ip address? I
> tried to do it to get an ip from the RRAs installed in
> the same server but I receive the message Error:
> 691:Access was denied because the username and/or
> password was invalid on the domain.
>
> I made the following sets:
>
> 1 - I have an RRAs service with a pool address installed
> and working well in the same server that is running IAS.
> 2 - I added the radius client.
> 3 - I created a Connection Request Policie and I added
> the attribute Framed-IP-Address with the value
> 255.255.255.254 (beside the other atributes needes)to get
> an ip from server.
> 4 - I created a Remote Access Policie and, in the Profile
> properties' IP tab, when I choose the option Assign a
> static IP address (and define an IP static), everything
> works well and I'm able to establish the connection, but,
> when I choose the option Server must supply an ip
> address, I'm not able to establish the connection and the
> message above is displayed.
>
> When I look at the IAS log, everything seems Ok, see
> below:
> LINE1:
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> DCMTZA,6,2,4,192.168.15.1,61,0,7,1,30,2121,31,2138657722,7
> 7,50666 31200
> V.90,5,5,4108,192.168.15.1,4116,0,4128,Embratel Client
> Radius,4155,1,25,311 1 172.16.1.29 10/08/2004 15:35:15
> 80,4130,sotreq.net/98Matriz/Informatica/Luyper
> Silveira,4127,1,4129,SOTREQ\luyper,4136,
1,4142,0
> LINE2:
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> DCMTZA,25,311 1 172.16.1.29 10/08/2004 15:35:15
> 80,4130,sotreq.net/98Matriz/Informatica/Luyper
> Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,
> 192.168.15.1,4116,0,4128,Embratel Client
> Radius,4155,1,4154,Embratel Connection
> Request,8,255.255.255.254,7,1,28,300,6,2,27,600,4129,SOTRE
> Q\luyper,4127,1,4149,Embratel Remote Access,4136,2,4142,0
>
> My question is: Can I provide an Ip to a Radius Client
> from IAS using an Ip address from a RRAs's pool?
>
> thanks.
>
| |
|
| So, what's the goal of the field SERVER MUST SUPPLY AN IP
ADDRESS on IP tab of Remote Access Policies' profile?
thanks;
>-----Original Message-----
>IAS doesn't provide clients with IP Addresses, "Radius
Clients" are
>infrastructure devices or RRAS. These should have a
static IP assigned to
>them by the network administrator
>Now if you have a client connecting TO this client (RAS
Client or Wireless
>client connecting TO your client then you can assign
give that client a
>specific IP address. It would be the job of the NAS to
enforce this)
>To send back an IP address when a specific user connects
to your NAS, simply
>add that IP in AD. (Open AD users and computers, find
your user, Edit
>properties, Dial-In tab, select "Assign static IP
Address" and fill the
>address)
>Alternatively, you can do this also from the IAS Remote
Access policy in the
>profile set it under IP Address Assignment. (You may
also do it through the
>advanced tab)
>
>HTH
>
>
>--
> ========================================
=====
> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
> ========================================
=====
>
>"Luyper Silveira" <luyper@sotreq.com.br> wrote in
message
>news:052001c4b135$63f23fe0$a401280a@phx.gbl...
my[vbcol=seagreen]
address? I[vbcol=seagreen]
installed[vbcol=seagreen]
IAS.[vbcol=seagreen]
get[vbcol=seagreen]
Profile[vbcol=seagreen]
but,[vbcol=seagreen]
the[vbcol=seagreen]
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19[vbcol=seagreen]
DCMTZA,6,2,4,192.168.15. 1,61,0,7,1,30,2121,31,2138657722,7[vbcol
=seagreen]
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19[vbcol=seagreen]
Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,[vbcol=seagreen]
Request,8,255.255.255. 254,7,1,28,300,6,2,27,600,4129,SOTRE[vbc
ol=seagreen]
Access,4136,2,4142,0[vbcol=seagreen]
>
>
>.
>
| |
| Sam Salhi [MSFT] 2004-10-15, 9:25 pm |
| To the Remote Access client (not the radius Client)
It's highly recommended that the Radius client always have the same IP. One
way to do it is through Static IP
--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====
<anonymous@discussions.microsoft.com> wrote in message
news:004b01c4b14d$fd72bdd0$3a01280a@phx.gbl...[vbcol=seagreen]
> So, what's the goal of the field SERVER MUST SUPPLY AN IP
> ADDRESS on IP tab of Remote Access Policies' profile?
>
> thanks;
>
> Clients" are
> static IP assigned to
> Client or Wireless
> give that client a
> enforce this)
> to your NAS, simply
> your user, Edit
> Address" and fill the
> Access policy in the
> also do it through the
> and confers no
> message
> my
> address? I
> installed
> IAS.
> get
> Profile
> but,
> the
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> DCMTZA,6,2,4,192.168.15.1,61,0,7,1,30,2121,31,2138657722,7
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,
> Request,8,255.255.255.254,7,1,28,300,6,2,27,600,4129,SOTRE
> Access,4136,2,4142,0
| |
|
| It's exactly this, my radius client has a static Ip and
it's working well. I need the folow:
I have a NAS (radius client) that connect with my radius
server and I need to provide to it some attributes and,
one of them, is the ip address, I'd like that my raduis
server would be able to get this ip from a pool to allow
more than one connection simultaneous. My question is if
the radius server works integrated with RRAs and if it
could get the ip from the pool set in the RRAs allowing
more than one connection simultaneos and without the
necessity of set the ip on user profile properties
individualy? Is it possible? If no, is there another way
to do that?
thanks.
>-----Original Message-----
>To the Remote Access client (not the radius Client)
>It's highly recommended that the Radius client always
have the same IP. One
>way to do it is through Static IP
>
>--
> ========================================
=====
> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
> ========================================
=====
>
><anonymous@discussions.microsoft.com> wrote in message
>news:004b01c4b14d$fd72bdd0$3a01280a@phx.gbl...
IP[vbcol=seagreen]
connects[vbcol=seagreen]
in[vbcol=seagreen]
connecting[vbcol=seagreen]
in[vbcol=seagreen]
added[vbcol=seagreen]
everything[vbcol=seagreen]
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19[vbcol=seagreen]
DCMTZA,6,2,4,192.168.15. 1,61,0,7,1,30,2121,31,2138657722,7[vbcol
=seagreen]
Client[vbcol=seagreen]
15:35:15[vbcol=seagreen]
192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19[vbcol=seagreen]
Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,[vbcol=seagreen]
Request,8,255.255.255. 254,7,1,28,300,6,2,27,600,4129,SOTRE[vbc
ol=seagreen]
Client[vbcol=seagreen]
>
>
>.
>
| |
| Sam Salhi [MSFT] 2004-10-15, 9:25 pm |
| It's possible of course
you have 2 options
Set up a predefined pool of IP Addresses on RRAS
or
Setup up DHCP and have Relay Agent on RRAS take care of assigning IP address
to your clients as they connect
This can only be controlled to a limited extent from IAS server. You can do
it either per user, or per policy, but one address at a time in both cases
Your best bet is to keep the IAS configuration at default (have RRAS assign
the IP Addresses) and then configure RRAS to assign IP addresses (either
from Pool or DHCP)
--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====
<anonymous@discussions.microsoft.com> wrote in message
news:2bdf01c4b15f$9170e140$a501280a@phx.gbl...[vbcol=seagreen]
> It's exactly this, my radius client has a static Ip and
> it's working well. I need the folow:
>
> I have a NAS (radius client) that connect with my radius
> server and I need to provide to it some attributes and,
> one of them, is the ip address, I'd like that my raduis
> server would be able to get this ip from a pool to allow
> more than one connection simultaneous. My question is if
> the radius server works integrated with RRAs and if it
> could get the ip from the pool set in the RRAs allowing
> more than one connection simultaneos and without the
> necessity of set the ip on user profile properties
> individualy? Is it possible? If no, is there another way
> to do that?
>
> thanks.
>
>
> have the same IP. One
> and confers no
> IP
> connects
> in
> connecting
> in
> added
> everything
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> DCMTZA,6,2,4,192.168.15.1,61,0,7,1,30,2121,31,2138657722,7
> Client
> 15:35:15
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,
> Request,8,255.255.255.254,7,1,28,300,6,2,27,600,4129,SOTRE
> Client
| |
| Sam Salhi [MSFT] 2004-10-18, 2:52 am |
| IAS can't get the IP on behalf of the user if it's in the RRAS pool
What you need to do is to start with a clean CRP and a Clean RAP policies,
and just keep the defaults. (The defaults are to have the server assign the
IP addresses)
Also, it wouldn't hurt to double check your RRAS settings
--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====
<anonymous@discussions.microsoft.com> wrote in message
news:0fb801c4b1e6$1f5d0200$a601280a@phx.gbl...[vbcol=seagreen]
> I've already predefined a pool of IP Addresses on RRAS,
> but I dont know how to make the IAS get an ip from this
> pool. Do I need to add some attribute in my CONNECTION
> REQUEST POLICY or in my REMOTE ACCESS POLICY to do that?
>
> My scenario is that I have Dial In user that call to RAS
> service from my service provider, so, this RAS connect to
> my IAS and my IAS need to provide to it the autentication
> and the ip(beside other attributes), but I'm not able to
> get an ip from my RRAs Pool that is running on the same
> server that my IAS, I'm just able to provide an static IP
> using the attribute FRAMED-IP-ADDRESS or predefining the
> ip in User Account profile.
>
> I found the article 279101 on Microsoft Knowlegde Base
> that describe if I fill out the attribute FRAMED-IP-
> ADDRESS with 255.255.255.254, it means that Server must
> supply an IP address, I added this attribute with this
> value in my CONNECTION REQUEST POLICY and the request is
> being relayed to my REMOTE ACCESS POLICY (Policy that
> control connections on RRAs, I believe) as you can see on
> log that I attached below, but the option SERVER MUST
> SUPPLY AN IP ADDRESS on tab IP in REMOTE ACCESS POLICY's
> profile dont get an ip from RRAs pool and include it in
> the answer that is sent back to the Radius client that
> started the process.
>
> Is there a way to allow IAS to get an ip from this pool
> and include it in the answer to the Radius client?
> Or another way to define an address pool?
>
> thanks a lot.
>
> assigning IP address
> server. You can do
> time in both cases
> default (have RRAS assign
> addresses (either
> and confers no
> radius
> allow
> if
> way
> AN
> Addresses, "Radius
> (RAS
> to
> Remote
> warranties,
> some
> to
> Assign a
> connection,
> and
> see
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> DCMTZA,6,2,4,192.168.15.1,61,0,7,1,30,2121,31,2138657722,7
> 192.168.15.1,luyper@sotreq.net,10/13/2004,11:47:16,IAS,U19
> Silveira,27,36000,6,2,28,18000,7,1,8,255
.255.255.254,4108,
> Request,8,255.255.255.254,7,1,28,300,6,2,27,600,4129,SOTRE
|
|
|
|
|