Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
10
Helpful
2
Replies

ASA - ISE COA communications

Go to solution
Robertus Bleeker
Cisco Employee
Cisco Employee

‎02-01-2019 01:30 PM

Greetings,

The following question is related to the RADIUS communication between an ASA and ISE for CoA:

 

I am working with a customer who has a requirement to combine authorization attributes from both ISE (posture requirements) and Radiator (VLAN assignment) into a single RADIUS AAA response. Ideally we would like ISE to be the primary RADIUS server with Radiator as an external RADIUS server. However, it is our understanding that ISE cannot combine internal/external authorization attributes (either pass (proxy) on authorization attributes from external RADIUS or ignores attributes from the external RADIUS server and invoke ISE authorization attributes).

 

We would like to setup a test environment with Radiator as the primary RADIUS Server and ISE as the external RADIUS server. Any (posture-related) attributes from ISE will be passed on to the Radiator which will augment this with additional attributes (VLAN) and forward this to the ASA.

 

Question: What information does ISE use to identify the correct NAD (ASA) when sending a CoA? Does it use a RADIUS attribute ('Called-Station-ID" or "NAS-IP-Address) or the original IP address from the UDP packet?

 

Regards,

Rob

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-01-2019 01:45 PM

NAS-IP-Address is used. The source IP can be different if you nat the
packet, for example (which I haven't seen before to have radius behind nat).

View solution in original post

2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-01-2019 01:45 PM

NAS-IP-Address is used. The source IP can be different if you nat the
packet, for example (which I haven't seen before to have radius behind nat).

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-02-2019 05:33 AM

As Mohammed stated, it will use the NAS-IP-Address since the network device (ASA) is responsible for being the authenticator during the process that will ultimately grant access & authorize the supplicant based on your posture status conditions configured in ISE.  

Customers Also Viewed These Support Documents