11-16-2016 04:40 PM
Hi Team,
My customer has asked whether we have considered or have the possibility in the future to identify network access devices by the IP contained within the Radius packet, as opposed to the layer 3 source IP address. This would allow for a nat to occur when a customer is using a load balancer between their PSN's and NAD's. Had this been discussed at all?
Solved! Go to Solution.
11-17-2016 12:27 PM
The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP. You can certainly load balance based on the source IP, even if Source NATted.
Two caveats of LB SNAT on NAD source IP include:
We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation. Please reach out to your account SE to discuss roadmap information.
Regards,
Craig
11-17-2016 10:13 AM
HI Patrick,
If you are referring to NAS IP address, this is currently available as attribute that can be added to create a policy set criteria.
Based on the policy set criteria, authentication and authorization policies are applied.
In fact, ISE has tons of attributes that can be used as conditions to create a policy set criteria including Device IP address etc. Here are the attributes that ISE supports currently for network access.
Thanks
Krishnan
11-17-2016 12:27 PM
The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP. You can certainly load balance based on the source IP, even if Source NATted.
Two caveats of LB SNAT on NAD source IP include:
We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation. Please reach out to your account SE to discuss roadmap information.
Regards,
Craig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: