Group Default IP Address Networks for Access Server
This document explains Access Server's group default IP address network functionality and provides tips for using it with cluster setups.
This topic explains how the group default IP address network functionality works in Access Server and tips for setting it up with your network.
How the group default IP address network works on Access Server
A user assigned to a group will be assigned an IP address from the group's default IP address network. If a subnet is defined on the group, that will be used instead. If neither is defined, an error message will result.
Important
A subnet's first and last IP addresses are reserved for use by the Access Server itself.
For example, Suppose you have the subnet 192.0.2.0/24; then you might have four connected clients, and Access Server assigns these IP addresses:
192.0.2.2
192.0.2.3
192.0.2.4
192.0.2.5
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
Group default IP address network on standalone Access Servers
The process for a user looks like this:
Create the user in the Admin Web UI.
Assign the user to a group that doesn't have its own group subnet defined.
When the user connects, Access Server assigns an IP address from the group default IP address network subnet.
Suppose you then define access for that user to other subnets using routing or NAT. Then Access Server grants access without issue. Because only one Access Server uses this subnet, one route can properly ensure routing functions.
One server = one group address pool.
Group default IP address network on a cluster of Access Servers
Access Server 2.12 and newer handle the group default IP address network differently in a cluster setup. On older Access Server versions, the group default IP address network was assigned to all nodes. That means if you assigned the subnet 192.168.0.0/24, all nodes used it: Alpha, Beta, and Gamma. The same subnet cannot be routed to all three nodes, which makes routing impossible.
The new behavior with Access Server 2.12 and newer allows the administrator to assign unique group default address subnets to each node. That way, routing can now be set up to direct packets to the correct subnets.
This table helps provide an example:
Node | User | Group | Subnet | IP address |
|---|---|---|---|---|
Alpha node | User A | Group 1 | 192.0.2.0/24 | 192.0.2.2 |
Beta node | User B | Group 1 | 198.51.100.0/24 | 198.51.100.2 |
Gamma node | User C | Group 1 | 203.0.113.0/24 | 203.0.113.2 |
Now, each cluster has its own VPN network and VPN clients. A subnet is no longer assigned to all clusters. This allows routing on cluster configurations where only NAT worked previously because it uses unique node subnets.
Clustering group address pool setting comparison by version
Access Server 2.11 and older
The group address poll setting is cluster-wide and inherited by each node.
Access Server 2.12 and newer
The group address pool setting starts with the inherited pool (one subnet for all nodes), but you can override that on the node level. Each node can have a unique pool.