Solved: CWA with guest users sitting behind NAT/PAT

giosif · ‎11-14-2017

Hello,

Does anyone see any problem with a setup where the wireless guest users are being (source) NAT/PAT-ed on the way towards the PSN for CWA?

So, just to make it clear: it is the IP addresses of the guest devices that get NAT/PAT-ed, not the PSN address.

I think this should work fine, as the PSN shouldn't care what IP the client appears to be connecting from, as long as the URL contains the correct session ID.

Could someone please confirm, though?

Also, a follow-up question: what will ISE log as the IP address for that guest client - the actual client IP or the NAT/PAT IP?

I suspect it is the former, as that is what the WLC will send to ISE in the RADIUS packets, but can someone please confirm this as well?

Thanks!

Jason Kunst · ‎11-14-2017

Please see response in community already answered - https://communities.cisco.com/thread/85256?start=0&tstart=0

The ip address in ISE logs is the actual client IP learned from the network access side of things (wireless controller)

View solution in original post

Jason Kunst · ‎11-14-2017

Please see response in community already answered - https://communities.cisco.com/thread/85256?start=0&tstart=0

The ip address in ISE logs is the actual client IP learned from the network access side of things (wireless controller)

giosif · ‎11-14-2017

Oh!

And I did search for it beforehand (obviously, not well enough).

Thanks for the answers, Jason!