Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

IP pool assignment using radius

Hi folks,

Looking for a technology go/no go for this scenario: Can you please let me know if this will work.

R80.10 - RA VPN for 2 user groups: 
Group 1 will use the Endpoint client, be Windows based and will receive office mode IP's - already works.

Group 2 will use L2TP (shared secret string) and be Linux based. I would like them to receive custom IP's from a pool.

Both sets of users authenticate via a Radius server (with accounting). For Group 2, the radius server can send the IP pool name that they should be allocated from. 

The Key here is that CheckPoint will hand out DHCP addresses instead of the Radius server - as with traditional RADIUS accounting..

0 Kudos
3 Replies
Highlighted
Admin
Admin

Believe what you are looking for is: How to configure RADIUS to assign Office Mode IP addresses 

0 Kudos
Highlighted
Explorer

Hi Dameon,

Close - but not quite there. I have used the referenced SK to set up in the lab and the clients are getting the SAME ip address. This is so because the RADIUS server is dumb and is not controlling IP allocation.

My RADIUS server is sending the following 

Framed-IP-Address - 192.168.48.0
Framed-IP-Netmask - 255.255.255.0

Framed-Protocol - PPP

Each client to connect gets a PPP connection: their IP 192.168.48.0 and the gateway is correct at 192.168.100.2. Always the same...

I need the gateway itself to handle IP allocation as my Radius server cannot do IP pools. I can send the above attributes or even a string with the name of an IP pool, but the gateway must take this info and make its own decisions about IP's.

Is there a way for this to happen or will the Checkpoint Gateway always expect an IP from the radius server? 

Thanks

Gary

0 Kudos
Highlighted
Admin
Admin

You can do IP assignment based on groups as described here: Office Mode IP and ipassignment.conf file

However the actual subnet to assign IPs from must be specified in ipassignment.conf.

We do not support taking the subnet to assign IPs from via RADIUS. 

0 Kudos