Add an IP Pool

VPN profiles require IP addressing pools in order to be fully-functional. In addition, control plane traffic such as RADIUS is sourced from the Secure Access IP address pools.

Table of Contents

• Prerequisites
• Procedure
  • Add an IP Pool
  • Add a RADIUS Group (optional)

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.

Procedure

Add an IP pool that is used to manage a set of IP addresses for your VPN profile. Optionally, add a RADIUS group for VPN profiles.

Add an IP Pool

To configure the VPN IP Pool, complete the following steps:

1. Navigate to Connect > End User Connectivity > Virtual Private Network.
2. For Manage IP Pools, click Manage.

3. Click Add IP Pool to add an IP pool that can be used to manage a set of IP addresses for your VPN profiles.

4. Configure the Parameters the IP pool:

   • Map the IP pool to a Region.
   • Add a meaningful Display name.
   • Choose a pair of DNS Servers from the drop-down, or click Add to add a new DNS pair.
   • Add Endpoint IP pools for use with remote access VPN endpoints. Each endpoint will be assigned an IP address from the defined IP pool. Supports ranges from /28 to /16. You can add multiple comma-separated ranges.
   • Add Management IP pools for management of remote access VPN endpoints. Supports ranges from /31 to /21. You can add multiple comma-separated ranges.
   

5. Click Save when you are done.

Add a RADIUS Group (optional)

This section describes how to configure a RADIUS group and add servers to the group. This RADIUS group can be applied to the Management IP pool being configured and mapped to other IP pools.

1. Navigate to Connect > End User Connectivity > Virtual Private Network.

2. For Manage IP Pools, click Manage.

   

3. Click Add IP Pool and scroll down to RADIUS Groups (optional).

   

4. Click Add to configure the RADIUS group and enter a meaningful Group Name.

   

5. Choose the AAA methods to apply to this RADIUS Group. Choose at least one method. Note: If both the Authentication and Authorization methods are selected, the same port number must be used.

   1. Authentication - Enter the RADIUS authentication Port number. The valid range is from 1 to 65535.
      The default is 1812.

      Check Microsoft CHAPv2 to use Microsoft Challenge Handshake Authentication Protocol Version 2 as the authentication method.

      

   2. Authorization- Enter the RADIUS authorization Port number. The valid range is from 1 to 65535.
      The default is 1812.

      When you check Authorization mode only, no common password is required.

      When you check Change of authorization (CoA) mode, the RADIUS server group will be registered for CoA notification. If you enable CoA, the listening port for RADIUS CoA requests uses the default of 1700. Select this option when using this server group for ISE Policy Enforcement in remote access VPNs.

      

   3. Accounting- Enter the RADIUS accounting Port number. The valid range is from 1 to 65535. The default is 1813.

      Select the Accounting mode, either Single or Simultaneous. In single mode, accounting data is sent to only one server. In simultaneous mode, accounting data to all servers in the group.

      For Accounting update, select Interim accounting update to enable the periodic generation of RADIUS interim-accounting-update messages.

      

6. Configure the method (Reactivation mode) by which failed servers in a group are reactivated:

   1. Set the Max failed attempts to specify the maximum number of failed AAA transactions with a RADIUS server in the group before trying the next server. The range is from 1 and 5. The default is 3.
   2. Choose Depletion, Dead time to reactivate failed servers only after all of the servers in the group are inactive.
      This is the default reactivation mode. Specify the amount of time, between 0 and 1440 minutes, that
      elapses between the disabling of the last server in the group and the subsequent reenabling of all servers.
      Deadtime applies only if you configure fallback to the local database; authentication is attempted locally
      until the deadtime elapses. The default is 10 minutes.
   3. Choose Timed to reactivate failed servers after 30 seconds of down time.
   4. Set the Servers timeout setting. Enter the number of seconds to wait for a response from a RADIUS server (in seconds). The default is 10 seconds.
      
   

7. Scroll down to RADIUS Servers and click Add.

   You can add up to eight servers to each RADIUS group.

   

8. Enter a meaningful Server name, an IP Address, and a Secret Key/Password combination and click Save & Add server.

   

9. Click Save when you are done adding servers to complete the RADIUS Group.

   

Manage IP Pools < Add an IP Pool > Manage RADIUS Servers and Groups