Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
433
Views
0
Helpful
2
Replies

Cisco Wireless LAN controller as radius client of a Microsoft NPS server that sits behind NAT device

HyeonCheol Cho
Level 1
Level 1

ā€Ž01-05-2017 03:44 PM - edited ā€Ž03-11-2019 12:20 AM

Hi gurus,

has anyone implemented radius communication across NAT that translates the IP address of the radius client with one to one static translation?

In this scenario, Cisco Wireless LAN controllers are the clients of radius services that is provided by MS NPS servers. The NAD device translates the IP of the radius client.

So, radius request packets seen on the server side appears to originate from the NATed IP address.

In the radius response packet, it normally includes the NAS IP as one of the attributes. But, as the NPS server got the packets with NATed IP of the client, it appears that NAS IP in the radius response packet is the NATed IP which is different from the real IP of the NAS. 

Has anyone ever implemented this before?

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž01-07-2017 02:50 PM

I would re-engineer this to not have to send RADIUS packets through NAT.  I think you are begging to have issues.

0 Helpful

HyeonCheol Cho
Level 1
Level 1
In response to Philip D'Ath

ā€Ž01-08-2017 03:33 PM

Thank you for your opinion.

There are some cornerstones where you have no other options. IP conflict during mergers, acquisitions, etc.

0 Helpful
Customers Also Viewed These Support Documents