Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
1
Helpful
3
Replies

Hundreds of Network Devices, wildcard entries - but the logs?

Marc Luethi
Level 1
Level 1

‎02-28-2024 12:42 PM

Dear all

Greenfield deployment, we're expecting like 500 Switches at 100 Sites and 1500 APs sprinkled across them to submit their RADIUS-Requests to a pair of ISEs.  ISE are not going to do device administration (TACACS) for these. 

SrcIP of RADIUS requests are not entirely predictable, but will be from a well-defined IP range (one /16 for switches, one /16 for WLAN APs), w/o NAT, but curently not reverse-resolvable in DNS. 

Setting Wildcard/Address Range entries in "Network Devices" of course might seem straightforward: Just add an entry called  "WLAN AP Wildcard" with /16 address range.

But then you lose some visibility in Live Log and Live Session.  One can see the NAS IP address allright, but not the switch's or AP's Hostname in "Device Name" in Live Logs - the text as given in "Network Devices" will appear.  Not good for the operators - they might want to see the switch's or APs hostname. 

Any suggestions you could give, short of importing a full list of APs and switches into ISE?
Will reverse DNS help to show an FQDN instead of a NAS IP address? 
Any clever RADIUS attributes to add from the Switch or WLAN-AP to help identify it? I'm thinking like
radius-server attribute 32 include-in-access-req format %h  

Thanks for your thoughts and ideas

0 Helpful
3 Replies 3

Marc Luethi
Level 1
Level 1

‎02-28-2024 01:04 PM

For what it's worth:

radius-server attribute 32 include-in-access-req format %h 

... does make the switch's hostname appear as "NAS Identifier" in the Authentication Detail report.
Neither Live Logs nor Live Sessions seem to be able to show this as a column. 

0 Helpful

Arne Bier
VIP
VIP

‎02-28-2024 01:26 PM

One of the things that surprised me initially when I started working with ISE, is that ISE does not process RADIUS requests based on what the contents of NAS-IP-Address attribute contains - because the RFC 2865 uses makes it sound like this is the IP address the RADIUS server should be re-acting on:

ArneBier_0-1709154904411.png

Instead, ISE ignores the NAS-IP-Address, and instead, takes the Source IP Address of the UDP packet - that is the lookup value into ISE's Network Devices database to see perform the shared secret processing etc. And that then forms the basis of the Live Logs displays - whatever you called the Network Device (as a /32 or /whatever) is what will be displayed in the Live Logs. 

Perhaps we should submit a Feature Request to have an additional "NAS IP Address" column available - it's there in the Request Details page, so it should be an easy programming job to add this to the list of columns to display. 

Whether to use the NAS-IP-Address or the UDP SRC IP to processes RADIUS requests probably has pros and cons - if customers use NAT then this will probably have some implications, because the "true" NAS-IP-Address will not match the NAT'd UDP SRC IP.

My personal preference is to never use anything other than a /32 for the ISE Network Devices for the simple reasons

1) You can clearly see which device sent the request and don't need to dig into the details to see the true SRC IP

2) You know 100% which devices are out there on a subnet. 

3) ISE supports tens of thousands of NAD entries. No need to be shy 

Regarding point 2, I have a customer migrating from one RADIUS system to ISE, and the person who implemented the previous system used /24 and even /16 in some cases. The system has been in place for many years - no documentation. What a disaster.  How would I accurately know what devices are in those subnets?  Even if I can ping them, I would have to check each one to see if it's a network device that requires ISE RADIUS services. And I refuse to add those /16 into ISE, because in most parts, it overlaps with my existing /32 definitions - hence, it will be a shambles. People don't think about the long term effects of these poor decisions. 

thomas
Cisco Employee
Cisco Employee
In response to Arne Bier

‎02-29-2024 06:39 AM

@Arne Bier gives you some great advice.

I think everything you asked about is covered in

 Managing Network Devices in ISE 2022-04-05

01:12 ISE and Network Devices
01:46 ISE Compatibility with RADIUS and TACACS
02:06 Network Device Scale in ISE
03:09 RADIUS Protocol Overview
07:25 RADIUS Access Request & Response Attribute/Value Pairs
10:44 Network Devices MUST be defined in ISE
11:13 Join Active Directory with Groups
13:30 Create Employee Authorization Profile
15:44 Create Employee Authorization Rule with Active Directory Group
16:56 Disable Suppression of repeated Failures and Success
17:36 Enable Repository and Packet Capture
19:10 RADIUS with an Undefined Network Device
21:08 Enable and Use the Default Network Device
24:43 Network Device with an IP Range
26:30 Network Device with a Specific IP Address
28:00 Packet Capture Review
31:46 Network Device Groups (NDGs)
34:12 CSV Export & Import of NDGs and Network Devices
42:48 CSCwa00729 All NADs get deleted
43:32 Cisco Notification Service
44:07 RADIUS DTLS
47:23 Non-Cisco Network Device Support
52:27 Import RADIUS Vendor Specific Attributes
55:02 Network Device Admin RBAC with AD
57:18 Automation with Ansible
58:14 Resources

Network Access Device Capabilities: https://cs.co/nad-capabilities
ISE Compatibility Guides: https://cs.co/ise-compatibility
Configure RADIUS DTLS on Identity Services Engine
How to Create ISE Network Access Device Profiles
ISE Third-Party NAD Profiles and Configs
For download: RADIUS Vendor Dictionaries for 3rd Parties

0 Helpful
Customers Also Viewed These Support Documents