IP assignment per group

[p_ghas]

Hi,
I'm trying to use the ipassignment.conf on a per group basis, but there is not way of getting the IP's from that specific pool!

Here is my ipassignment.conf:
* range 192.168.0.1-192.168.0.254/24 Users

The group "Users" is configured on my SC but is not that same group used for Radius authentication.

Do any of you have an idea of why I don't get the IP's from ipassignment.conf!?

Thanks...

[melipla]

First off, be sure you're updating the ipassignment.conf file that is on the gateway--not the smartcenter server. I believe you have to push policy before the assignments will start.

Then I didn't understand fully your comment about the usernames. The ipassignemnt.conf user should match what the user types into the Secureclient user field. How they get authenticated, via smartcenter or radius, should not affect whether or not they get an IP from the ipassignment.conf file.

HTH

[p_ghas]

I'm updating ipassignment.conf on the gateway and pushing the policy after that...

The idea is to assign the IP's based on the user group, not the user name, but when I use the parameter range/group, as shown below, the users on the group don't get an IP from this pool.

* range 192.168.0.1-192.168.0.254/24 Users

I use Radius to authenticate the users.

Thanks... PEH

[melipla]

Since you're trying to use the radius group then I'm assuming that you've already set up the radius users group and enabled them for the object per the instructions?

Sadly, I've never seen anything that says you can use radius groups in the ipassignment.conf file, but maybe its an undocumented feature. At the very least you can change "Users" to a specific radius user to ensure that you're getting an IP. If that works then try to use the "RAD_Users" group instead of the radius "Users" as I'd think you'd have more success with the CP Group.

[p_ghas]

Actually the group "Users" is not a Radius group, but a group created on SC.

I made a test using the user name instead of the group and I got the ip's successfully, but what I need is to associate a range or subnet to a specific group.

Any ideas?

Thanks...

[melipla]

Quote:

Originally Posted by p_ghas

I made a test using the user name instead of the group and I got the ip's successfully, but what I need is to associate a range or subnet to a specific group.

AFAIK there's no documentation stating you can do this. The ipassignemnt.conf file only says to add users so you'd have to add each user individually. Its a great RFE suggestion though.

You could try to get around the group limitation by using your own OM DHCP server to reserve specific IPs, only offereing OM to specific people, or possibly using pool NAT.

[p_ghas]

The ipassignment.conf itself has the following examples:

# Miami range 100.107.105.110-100.107.105.119/24 Finance
# Miami net 10.7.5.32/28 suffix=(acct.acme.com) Accounting

In these cases where should I define the groups Finance and Accounting? SC?

[melipla]

I take back everything I said, the documentation refers to IP per group and the utility to check the syntax of the ipassignment.conf even refers to groups. If you run the check, does your User group return as a user or a group?

vpn ipafile_check ipassignment.conf detail

[p_ghas]

It returns Group...

[melipla]

Since I feel bad for being completely wrong early, I tried to set up a group and use that group in the ipassignment.conf file--I too was unsuccessful in getting an IP from the group. I tried using a CP group and radius group, neither worked. I'm not any help today...

[p_ghas]

melipla... thanks for your tries!!

I will keep on trying to make this work!!!