Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
20
Helpful
2
Replies

ISE3 log display bug

Go to solution
Alex Pashko
Level 1
Level 1

‎04-15-2022 04:18 AM

Hello everibody!

We’ve found a log display bug on Cisco ISE 3 - in the Network Devices the name VC-FL-3-2 maps to the IP/Mask: 192.168.254.X/32 (the last octet is hidden for the security reason), and in the Live logs it displayed in the same way and it is correct,but in the Authentication Details for this device (VC-FL-3-2) it displayed with another IP address (NAS IPv4 - 192.168.254.Y), However actually, this IP address belongs to another device Altuf_Cat3560_l3 (see the screenshot in the attachment)

Could you please the information how to troubleshoot it?

Preview file
102 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-15-2022 02:57 PM - edited ‎04-16-2022 01:35 AM

Hello @Alex Pashko 

 

It's not a bug.

 

ISE processes every RADIUS request by looking at the UDP packet's Source IP Address - it compares the source IP address against the IP address in Network Devices and processes the Policy Set accordingly. This means that the NAS IP Address is not used by ISE for anything internally. NAS IP Address is a RADIUS attribute that is configured by the NAS and its value is meaningless to ISE.  

 

As an example, the command below sets the NAS IP Address attribute on a Cisco switch to some arbitrary value of 1.2.3.4

radius-server attribute 4 1.2.3.4

And then it processes the request in ISE correctly because ISE doesn't care about this value for Policy Set logic.

nas1.PNG

 

I think folks use NAS IP Address mostly when there is SNAT (Source NAT) involved and the original source IP of the NAS address is lost when a load balancer performs SNAT. By looking at the NAS IP Address you can still determine the exact source of the packet - BUT - you need to pick this attribute out during AuthN/AuthZ processing. 

 

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎04-15-2022 02:57 PM - edited ‎04-16-2022 01:35 AM

Hello @Alex Pashko 

 

It's not a bug.

 

ISE processes every RADIUS request by looking at the UDP packet's Source IP Address - it compares the source IP address against the IP address in Network Devices and processes the Policy Set accordingly. This means that the NAS IP Address is not used by ISE for anything internally. NAS IP Address is a RADIUS attribute that is configured by the NAS and its value is meaningless to ISE.  

 

As an example, the command below sets the NAS IP Address attribute on a Cisco switch to some arbitrary value of 1.2.3.4

radius-server attribute 4 1.2.3.4

And then it processes the request in ISE correctly because ISE doesn't care about this value for Policy Set logic.

nas1.PNG

 

I think folks use NAS IP Address mostly when there is SNAT (Source NAT) involved and the original source IP of the NAS address is lost when a load balancer performs SNAT. By looking at the NAS IP Address you can still determine the exact source of the packet - BUT - you need to pick this attribute out during AuthN/AuthZ processing. 

 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-15-2022 04:24 PM

If you think there is a bug for anything in ISE, please call TAC and report it with the necessary documentation for reproducibility.

Customers Also Viewed These Support Documents