Hi All, I've got some questions for people with Cisco ACS experience. We're using ACS to authenticate dial-up users into our network. Using TACACS+ within this product we push out an IP address from an address pool configured within the ACS software. Dependant on the group to which the user belongs, the IP pool is varied. This is done to let the users get through the firewall they encounter soon after the access router - different users get different access rights through the firewall based on their IP address. Everything is working perfectly with a single dial-in access router (NAS). However we are looking to add a second NAS. This is where my headaches start. The problem is that as far as I can see, the ACS software is not going to be aware of which NAS I am coming in on. Therefore it is going to give me an IP address from the same IP pool, regardless of my actual location. This is a problem in an environment where my firewall only uses static routes. Ie: it is only going to be able to send traffic for the addresses in an IP pool to one of the two NAS devices that I have hanging off the firewall. Am I missing something about the functionality of the ACS software? Or should I pull back the management of IP pools to the NAS and allow the ACS software only to perform basic authentication? Please note - the introduction of routing protocols such as RIP or OSPF is not an option. I am not going to permit my firewall to trust external sources of routing information. Also, the introduction of an additional routing device between the NAS devices and the firewall is not an option (budgetary constraints, plus its a pretty ugly solution). Any thoughts much appreciated. Thanks, Dave Steele CCNP, CCDP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=14175&t=14175 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]