topic Re: Overlapping NAD IPs in Network Access Control

Overlapping NAD IPs

stcnetteam — Wed, 10 Feb 2021 13:58:03 GMT

Hi,

I have noted recently that ISE allows to create two overlapped NAD objects in terms of IP. Does anyone have an idea how the matching process looks like then? In our company /24 object had preference causing issues. I am wondering if this is anywhere documented.

See example below:

Re: Overlapping NAD IPs

Mohammed al Baqari — Wed, 10 Feb 2021 17:23:19 GMT

Hi,

So the more specific NAD will take precedence when the request comes in.
NADs with no specific IPs in ISE DB will match the subnet NAD.

Quoted:

*Note *If device A has an IP address range defined, you can configure
another device B with an individual address from the range that is defined
in device A.
------------------------------

When Cisco ISE receives a RADIUS request and tries to match the request
against a network device, it does the following:

*a. *It looks for a specific IP address that matches the one in the request.

*b. *It looks up the ranges to see if the IP address in the request falls
within the range that is specified.

*c. *If both of these fail, it uses the default device definition (if
defined) to process the request.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

**** please remember to rate useful posts

Re: Overlapping NAD IPs

stcnetteam — Sun, 21 Feb 2021 09:46:48 GMT

OK. I think concept is as follow.

Lets assume there are 4 NAD objects as follow:

TEST.IP1 = 80.80.80.0/24 (Type IP address)

TEST.IP2 = 80.80.80.30/32 (Type IP address)

TEST.IP3 = 80.80.80.16/32 (Type IP address)

TEST.IP4 = 80.80.80.8-9/32 (Type IP range)

Matching order will be:

1. TEST.IP2 and TEST.IP3 becuase the longest match

2. TEST.IP1 becuase IP address type has higher preference over IP range object

3. TEST.IP4 becuase IP range object has lower preference than IP address object

It may be miisleading becuase defining range 80.80.80.8-9/32 administrator expect that it will matched over entire subnet 80.80.80.0/24 but becuase IP range object has lower preference than IP address type its exactly oposite.

Re: Overlapping NAD IPs

Damien Miller — Mon, 22 Feb 2021 04:04:27 GMT

I'm curious if you tested that and confirmed the behavior of longest match?

Re: Overlapping NAD IPs

stcnetteam — Mon, 22 Feb 2021 07:29:43 GMT

Hi,

Actually our problem started when we had "IP range" object containing two IPs "80.80.80.8-9/32". It had been never matched despite the there were only one overlapped "80.80.80.0/24" IP address object. Then i asked this question why longer matches didint happen between "IP range" and "IP address". ISE documentation explains that type "IP address" has always higher preference over "IP range". Thats why my test provides results exacly as follow:

Compare overlapped "IP address" type objects - the one with /32 wins.
If no match then try match "IP range" object"

As i said it may be sometimes missleading