Wireless Access

I am using an Aruba 620 controller for remote VPN connections (using PPTP) and am trying to set it up so that a certain remote user gets assigned the same IP on the local network each time.  I was guessing that the easiest way to do this would be through the pptp local pools, but I can't seem to get it to work as expected.

Currently, our configuration is as follows:

user-role default-vpn-role (assigned to other VPN users)

    pool pptp remote-users

    <ACL rules....>

user-role user-vpn-role (assigned to this specific user)

   pool pptp user

   <ACL rules....>

with pools defined as:

pptp ip local pool remote-users 10.10.10.185 10.10.10.189

pptp ip local pool user 10.10.10.190

user was assigned to user-vpn-role when user was created. (local-userdb add username <user> password <password> role user-vpn-role)

What I am finding though, is that when the user logs in, they are getting assigned IP's from both pools.  (ie. the are getting IP's from .185 to .190).

Is there something easy/obvious I am missing?

Despite setting the user role in the local-db, can you confirm what role is being assigned when the user connects?

Also, if you want to the role that you assign in the local-db to be assigned when the user logs in, you need to make sure your server group has a server rule of:

set role condition role value-of

When I log in as that user, it does show the currect profile being assigned... but getting an IP from the other pool

user-role blairk-vpn-role
 pool pptp blairk

user-role default-vpn-role
 pool pptp remote-users

pptp ip local pool "remote-users" 10.10.10.185 10.10.10.189
pptp ip local pool "blairk" 10.10.10.190

(rtr001) # show local-userdb

User Summary
------------
Name    Password  Role             E-Mail  Enabled  Expiry  Status  Sponsor-Name
  Remote-IP  Grantor-Name
----    --------  ----             ------  -------  ------  ------  ------------
  ---------  ------------
blairk  ********  blairk-vpn-role          Yes              Active

(rtr001) #show user

Users
-----
    IP               MAC            Name     Role             Age(d:h:m)  Auth
VPN link        AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type
----------      ------------       ------    ----             ----------  ----
--------        -------  -------  ---------------  -------  ------------  ----
10.10.10.188    00:00:00:00:00:00  blairk    blairk-vpn-role  00:00:41    VPN

I checked the server group, and it appears as though it should be ok..... although I didn't set any of it up, looks as though it is all still pretty much at defaults.

aaa authentication vpn "default"

aaa server-group "default"
 auth-server Internal
 set role condition role value-of

I may have figured it out (I hope)... but won't be able to confirm until I have a chance to reload the controller.....

Would what I am seeing be caused by the controller having no PEFV license?

We don't use VIA at all (usually just the VPN client built into Windows), and when we first started deploying controllers to our sites, PPTP worked by simply setting up a user/pass for the user and using the default role.  We only had the odd user that wanted remote access to work after hours, so we set them up on the default role and didn't really pursue it further.

Even though it is showing that the role is being assigned, I am wondering if the lack of a PEFV license is causing it to not *actually* take effect as expected?

I've loaded a PEFV eval license to test the theory, but it won't take effect until the controller is reloaded (or so it says....)

You are correct.   PEFV is not required for PPTP VPN users to connect (it is for Aruba VIA users), however it is required to configure the role/firewall policies for non-VIA VPN clients.     After a restart with the Eval license give your setup a test again.

I loaded a eval PEFV license, rebooted, and tried the user's login again, and it appears as though they are still getting IP's out of both pools, and not just the pool (in this case, single address) that is assigned to their user-role.

hi eightender

can you try specifying the IP you desire from the pool as part of the local-userdb entry, i.e.

(sg-3200) #local-userdb add username abcdef password abcdef role somerole remote-ip 1.2.3.4

where 1.2.3.4 is part of the pool.

regards

-jeff

Thanks Jeff;

I'll give that a try next week when I am back in the office (yay vacation! :) )

I did try that already, however, I tried that *before* I had a PEFV license loaded.  Now that I have an eval license on the controller, I will give that another try.  Some of the reading I had been doing on the subject made it sound like the remote-ip option was more for access points, so I didn't give it another whirl aftewards.

I'll give it another shot and see if that does the trick!