Hi we indeed already tried sending only the Framed-IP-Address in the Access-Accept and it didn't work, the Gateway didn't assign this address to the IPsec client, but a default IP address.
I also didn't understand why the Framed-Pool attribute is a must in the Gateway, Juniper supports only the following cases (extract from the Screen OS documentation): Case 1: Framed-Pool attribute and the Framed-IP-Address attribute are both included in the Access-Accept message. => The Framed-Pool attribute is always ignored by the RADIUS server unless the framed-IP-Address value is 0xFFFFFFFE (255.255.255.254). Then, the device allocates an address from the Framed-Pool attribute sent by the RADIUS server Case 2: Framed-Pool attribute and the Framed-IP-Address attribute are both absent from the Access-Accept message. => The device does not assign an IP address to the end user. Case 3: Framed-IP-Address attribute is included in the Access-Accept message and it has a value of 0xFFFFFFFE (255.255.255.254). BUT Framed-Pool attribute is absent. => The device allocates an IP address from the default IP address pool that is configured for that virtual system. Case 4 : The pool sent out in the Framed-Pool attribute is not configured, or it does not have any IP addresses. An error messages are generated and the negotiation is terminated. Best regards, Laurence -----Original Message----- From: freeradius-users-bounces+laurence.groebl=alcatel-lucent....@lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent....@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Dienstag, 1. März 2011 11:56 To: [email protected] Subject: Re: IP Pool for Ethernet On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote: > Hello Alan, > > Yes, according to the documentation of the Juniper Gateway, the > gateway should be able to understand the Radius attribute 8 > "Framed-IP-Address" in the Access-Accept message, but it seems that > it also need the attribute 88 " Framed-Pool". That doesn't make sense. You can't send it a specific IP, and an attribute telling it to pick an IP from a local pool, and expect any sensible behaviour. Have you tried just sending the Framed-IP-Address? Also, your subject line is wrong - this is nothing to do with "Ethernet" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
