https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3892319#M542528 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/523113">rmueller@cisco.com</a>&nbsp;</P> <P>&nbsp;</P> <P>Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing.&nbsp; It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd.&nbsp; ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.&nbsp;</P> <P>&nbsp;</P> <P>Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.</P> Wed, 17 Jul 2019 23:42:37 GMT Arne Bier 2019-07-17T23:42:37Z https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3889270#M542473 <P dir="ltr">Hi all,</P> <P dir="ltr">&nbsp;</P> <P dir="ltr">to my knowledge, currently ISE uses per default the source ip address of the RADIUS-request&nbsp;to look up the network device. This can cause issues if there are NAT-devices between the network access device and the ISE.</P> <P dir="ltr">&nbsp;</P> <P dir="ltr">Is there a known way to use the&nbsp;<SPAN>NAS-IP address within the RADIUS-packet to look up the network device instead?</SPAN></P> <P dir="ltr">&nbsp;</P> <P dir="ltr"><SPAN>Roland</SPAN></P> Fri, 12 Jul 2019 13:58:14 GMT https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3889270#M542473 rmueller@cisco.com 2019-07-12T13:58:14Z https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3889787#M542485 Hi<BR /><BR />I believe you're talking about wired devices.<BR />What devices' models are you using?<BR /><BR />Here a link that might help:<BR /><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html</A> Sun, 14 Jul 2019 03:30:37 GMT https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3889787#M542485 Francesco Molino 2019-07-14T03:30:37Z https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3892319#M542528 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/523113">rmueller@cisco.com</a>&nbsp;</P> <P>&nbsp;</P> <P>Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing.&nbsp; It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd.&nbsp; ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.&nbsp;</P> <P>&nbsp;</P> <P>Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.</P> Wed, 17 Jul 2019 23:42:37 GMT https://community.cisco.com/t5/network-access-control/use-nas-ip-address-to-look-up-network-device-in-ise-instead-of/m-p/3892319#M542528 Arne Bier 2019-07-17T23:42:37Z