topic Re: ISE3 log display bug in Network Access Control

ISE3 log display bug

Alex Pashko — Fri, 15 Apr 2022 11:18:32 GMT

Hello everibody!

We’ve found a log display bug on Cisco ISE 3 - in the Network Devices the name VC-FL-3-2 maps to the IP/Mask: 192.168.254.X/32 (the last octet is hidden for the security reason), and in the Live logs it displayed in the same way and it is correct,but in the Authentication Details for this device (VC-FL-3-2) it displayed with another IP address (NAS IPv4 - 192.168.254.Y), However actually, this IP address belongs to another device Altuf_Cat3560_l3 (see the screenshot in the attachment)

Could you please the information how to troubleshoot it?

Re: ISE3 log display bug

Arne Bier — Sat, 16 Apr 2022 08:35:25 GMT

Hello @Alex Pashko

It's not a bug.

ISE processes every RADIUS request by looking at the UDP packet's Source IP Address - it compares the source IP address against the IP address in Network Devices and processes the Policy Set accordingly. This means that the NAS IP Address is not used by ISE for anything internally. NAS IP Address is a RADIUS attribute that is configured by the NAS and its value is meaningless to ISE.

As an example, the command below sets the NAS IP Address attribute on a Cisco switch to some arbitrary value of 1.2.3.4

radius-server attribute 4 1.2.3.4

And then it processes the request in ISE correctly because ISE doesn't care about this value for Policy Set logic.

I think folks use NAS IP Address mostly when there is SNAT (Source NAT) involved and the original source IP of the NAS address is lost when a load balancer performs SNAT. By looking at the NAS IP Address you can still determine the exact source of the packet - BUT - you need to pick this attribute out during AuthN/AuthZ processing.

Re: ISE3 log display bug

thomas — Fri, 15 Apr 2022 23:24:53 GMT

If you think there is a bug for anything in ISE, please call TAC and report it with the necessary documentation for reproducibility.