Previous Next Table of Contents

19. Can both dynamic and static address assignment be used concurrently for PPP dialin users?

Yes, this is possible. First make sure that the IP addresses negotiated in the PPP IPCP address negotiation are verified by the TACACS+ daemon, by "aaa authorization network TACACS+".

Then you have the choice in the TACACS+ daemon's configuration to assign the users either an address-pool or a single address using the configs appended.

The address pool has to be defined on the router by the command ip local pool. If the TACACS+ daemons determines an address pool for the user being authorized, then it's up to the NAS to select one of the addresses of the pool. Address pools are always local to the NAS.

The relevant fractions of the daemon config follow. User dynamic's IP address is choosen by the NAS from the pool dynamicpool, whereas user static's address is always the same.

user = "dynamic" {
   ...
   service = ppp protocol = ip {
       addr-pool="dynamicpool"
   }
}
user = "static" {
   ...
   service = ppp protocol = ip {
      addr="172.20.1.1"
   }
}

And the NAS config:

aaa new-modem
aaa authentication ppp default TACACS+
aaa authorization network TACACS+
!
ip local pool dynamicpool 172.16.1.1 172.16.1.255
!
interface BRI0
 ip unnumbered Ethernet0
 encapsulation ppp
 ppp authentication chap


Previous Next Table of Contents