Cisco 877 DHCP Relay to PPTP Client

Posted on 2006-05-23
Last Modified: 2008-03-17
Hi I'm new to the Cisco world, never seen one of these tings before yesterday...

I have a Cisco 877 and some PPTP clients dialing in and authenticate via RADIUS to Active Directory.

Now they get their IP from a DHCP pool from the router, but I'd rather they could get the IP from the server, as they are members of the domain and their laptop would get the same IP regardless if they were at the office or at home.

How do I achieve this? I've played around with "ip helper-address" a little and googled for about 16 hours straight - can't make it work.

Here is my config - any other comments are also welcome.

Building configuration...

Current configuration : 4308 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxX
logging buffered 51200 warnings
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa session-id common
resource policy
ip subnet-zero
ip cef
no ip domain lookup
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1
async-bootp dns-server
async-bootp nbns-server
crypto pki trustpoint TP-self-signed-942293467
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-942293467
 revocation-check none
 rsakeypair TP-self-signed-942293467
crypto pki certificate chain TP-self-signed-942293467
 certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39343232 39333436 37301E17 0D303230 33303130 30303532
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 32323933
  34363730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  D13E8F48 20E44F3D 97EFCE8D 07FB819A 9A03502B 483C0FA2 15D20A71 8273A78A
  B98F5E3F A46A0571 B54FACF2 3C4622D2 D16E10C0 7E56FF5F FBC6D316 59FE8630
  681639B3 14E4DBCE 6453C988 3E0B6015 9A659D36 E9A38AA4 6F5127EF D6C5F9DF
  BEE71AE0 11A0A618 3E3E3180 1D269378 EAFE85D9 9C139AE7 F09BAFF2 E7EACDF7
  02030100 01A37C30 7A300F06 03551D13 0101FF04 05300301 01FF3027 0603551D
  11042030 1E821C4C 75676761 67654469 72656374 2E796F75 72646F6D 61696E2E
  636F6D30 1F060355 1D230418 30168014 42D40719 E8684F08 25476701 4109A26D
  4DE865B1 301D0603 551D0E04 16041442 D40719E8 684F0825 47670141 09A26D4D
  E865B130 0D06092A 864886F7 0D010104 05000381 81002F75 E3CBD54A 3A4E1941
  3439645B 966AA9A6 E3D2CDA8 300A34AB 72CE5EF0 7851CDAA 73F0A96E 16130C48
  1B4E03D6 BB2DB6EB D32FD1D5 BE7C69A5 A0EC4E8B 9DEC28D2 2FAD501A 4D7CFD20
  348376BC 95A889DE CE2045AB 07A95BC0 DC54BCAF 5DC785DB 5D330D1C A1EA9F8D
  1E704335 1D424C9A CBA703C2 947AB07F 6A546A29 9CA0
username xxxx privilege 15 secret 5 $1$sIB2$hJYkT9/dU9uw8H4cfZfbE0
username xxxx password 0 xxxx
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode ansi-dmt
interface ATM0.1 point-to-point
 ip address 210.89.xx.xx
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 atm route-bridged ip
 pvc 8/35
  protocol ip 210.89.xx.xx broadcast
  no broadcast
  encapsulation aal5snap
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template1
 ip unnumbered ATM0.1
 ip mroute-cache
 peer default ip address pool DIAL-IN
 no keepalive
 ppp encrypt mppe 128
 ppp authentication ms-chap ms-chap-v2
interface Vlan1
 ip address
 ip access-group 11 in
 ip access-group 101 out
 ip nat inside
 ip virtual-reassembly
ip local pool DIAL-IN
ip classless
ip route 210.89.xx.xx
no ip http server
no ip http secure-server
ip nat inside source list 111 interface ATM0.1 overload
ip nat inside source static tcp 25 210.89.xx.xx 25 extendable
ip nat inside source static tcp 80 210.89.xx.xx 80 extendable
ip nat inside source static tcp 443 210.89.xx.xx 443 extendable
ip nat inside source static tcp 3389 210.89.xx.xx 3389 extendable
access-list 11 permit
access-list 101 permit ip any any
access-list 111 permit ip any
no cdp run
radius-server host auth-port 1645 acct-port 1646
radius-server key xxxxx
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password xxxxx
 transport input telnet ssh
scheduler max-task-time 5000
Question by:Tipsmark
    LVL 27

    Accepted Solution

    PPTP clients get their addresses either from router or from RADIUS, not from external DHCP.
    You can configure your RADIUS to provide the same IP address as provided by DHCP on a per-user basis.
    In Radius this attribute is called Framed-IP-Address. If you return it from RADIUS server  to cisco as a reply item, that IP address will be used instead of random IP from DIALIN pool.

    Author Comment

    OK should I add "ip helper-address" to an interface? I use IAS I assume that's ok? anyway I'll give it a go!

    Author Comment

    Hmm I think I found a solution - not the best but working so far

    I can specify static ip in user properties in AD and then it works even when the cisco is set to: peer default ip address pool DIAL-IN

    Now that's progress as I can now reserve that IP in DHCP and in that way make sure my DNS information is correct...

    Is this the correct way to do it?

    Author Comment

    Doesn't matter - since it's on a per-user bases I assume that my mind was going the wrong way.

    Here are some points for you mate
    LVL 27

    Expert Comment

    > Hmm I think I found a solution - not the best but working so far
    I don't know better solution.

    In your DHCP you may bind static IP address to client's machine name or to MAC address, so your mobile clients will be able to get IP from DHCP with the same way as with PPTP.

    Author Comment

    Yes that was my intention - but one client has a tablet at home and a workstation at work so that will present a problem, as I need to map printers on from both pc's via login scripts.... I'll just map them based on the static IP they recieve when logging on via PPTP - so far so good...


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    firewall inside of network 9 55
    Desktop vs. laptop 39 64
    CISCO ASA 5500 DDNS 4 41
    Watchguard XTM 2 33
    The Rasberry PI is a low cost piece of hardware that you can have a lot of fun with through experimenting and building/working on projects like media players, running a low cost computer, build data loggers etc. - see:
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    This video discusses moving either the default database or any database to a new volume.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now