02-01-2019 01:30 PM
Greetings,
The following question is related to the RADIUS communication between an ASA and ISE for CoA:
I am working with a customer who has a requirement to combine authorization attributes from both ISE (posture requirements) and Radiator (VLAN assignment) into a single RADIUS AAA response. Ideally we would like ISE to be the primary RADIUS server with Radiator as an external RADIUS server. However, it is our understanding that ISE cannot combine internal/external authorization attributes (either pass (proxy) on authorization attributes from external RADIUS or ignores attributes from the external RADIUS server and invoke ISE authorization attributes).
We would like to setup a test environment with Radiator as the primary RADIUS Server and ISE as the external RADIUS server. Any (posture-related) attributes from ISE will be passed on to the Radiator which will augment this with additional attributes (VLAN) and forward this to the ASA.
Question: What information does ISE use to identify the correct NAD (ASA) when sending a CoA? Does it use a RADIUS attribute ('Called-Station-ID" or "NAS-IP-Address) or the original IP address from the UDP packet?
Regards,
Rob
Solved! Go to Solution.
02-01-2019 01:45 PM
02-01-2019 01:45 PM
02-02-2019 05:33 AM
As Mohammed stated, it will use the NAS-IP-Address since the network device (ASA) is responsible for being the authenticator during the process that will ultimately grant access & authorize the supplicant based on your posture status conditions configured in ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide