Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1888
Views
2
Helpful
2
Replies

Radius Network Access Device IP Field for Identification

Go to solution
Patrick Lloyd
Cisco Employee
Cisco Employee

‎11-16-2016 04:40 PM

Hi Team,

My customer has asked whether we have considered or have the possibility in the future to identify network access devices by the IP contained within the Radius packet, as opposed to the layer 3 source IP address.  This would allow for a nat to occur when a customer is using a load balancer between their PSN's and NAD's.  Had this been discussed at all?

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎11-17-2016 12:27 PM

The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP.  You can certainly load balance based on the source IP, even if Source NATted.

Two caveats of LB SNAT on NAD source IP include:

  1. ISE displays the LB as the network access device (since that is the source IP seen by PSN). Therefore, you lose some visibility without specifically looking at the NAS IP Address field.
  2. ISE sends CoA based on the source IP received and therefore send CoA to LB SNAT IP; LB ends up dropping the packet. 

We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation.  Please reach out to your account SE to discuss roadmap information.

Regards,
Craig

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-17-2016 10:13 AM

HI Patrick,

If you are referring to NAS IP address, this is currently available as attribute that can be added to create a policy set criteria.

Based on the policy set criteria, authentication and authorization policies are applied.

In fact, ISE has tons of attributes that can be used as conditions to create a policy set criteria including Device IP address etc. Here are the attributes that ISE supports currently for network access.

ISE Network Access Attributes

Thanks

Krishnan

Go to solution
Craig Hyps
Level 10
Level 10

‎11-17-2016 12:27 PM

The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP.  You can certainly load balance based on the source IP, even if Source NATted.

Two caveats of LB SNAT on NAD source IP include:

  1. ISE displays the LB as the network access device (since that is the source IP seen by PSN). Therefore, you lose some visibility without specifically looking at the NAS IP Address field.
  2. ISE sends CoA based on the source IP received and therefore send CoA to LB SNAT IP; LB ends up dropping the packet. 

We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation.  Please reach out to your account SE to discuss roadmap information.

Regards,
Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents