Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2189
Views
15
Helpful
4
Replies

Overlapping NAD IPs

Go to solution
stcnetteam
Level 1
Level 1

‎02-10-2021 05:58 AM

Hi,

 

I have noted recently that ISE allows to create two overlapped NAD objects in terms of IP. Does anyone have an idea how the matching process looks like then? In our company /24 object had preference causing issues. I am wondering if this is anywhere documented.

 

See example below:

 

download.png

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-10-2021 09:23 AM

Hi,

So the more specific NAD will take precedence when the request comes in.
NADs with no specific IPs in ISE DB will match the subnet NAD.

Quoted:

*Note *If device A has an IP address range defined, you can configure
another device B with an individual address from the range that is defined
in device A.
------------------------------

When Cisco ISE receives a RADIUS request and tries to match the request
against a network device, it does the following:

*a. *It looks for a specific IP address that matches the one in the request.

*b. *It looks up the ranges to see if the IP address in the request falls
within the range that is specified.

*c. *If both of these fail, it uses the default device definition (if
defined) to process the request.


https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

**** please remember to rate useful posts

View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-10-2021 09:23 AM

Hi,

So the more specific NAD will take precedence when the request comes in.
NADs with no specific IPs in ISE DB will match the subnet NAD.

Quoted:

*Note *If device A has an IP address range defined, you can configure
another device B with an individual address from the range that is defined
in device A.
------------------------------

When Cisco ISE receives a RADIUS request and tries to match the request
against a network device, it does the following:

*a. *It looks for a specific IP address that matches the one in the request.

*b. *It looks up the ranges to see if the IP address in the request falls
within the range that is specified.

*c. *If both of these fail, it uses the default device definition (if
defined) to process the request.


https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

**** please remember to rate useful posts

Go to solution
stcnetteam
Level 1
Level 1
In response to Mohammed al Baqari

‎02-21-2021 01:46 AM


OK. I think concept is as follow.

Lets assume there are 4 NAD objects as follow:

Untitled.png

TEST.IP1 = 80.80.80.0/24 (Type IP address)

TEST.IP2 = 80.80.80.30/32 (Type IP address)

TEST.IP3 = 80.80.80.16/32 (Type IP address)

TEST.IP4 = 80.80.80.8-9/32 (Type IP range)

Matching order will be:

1. TEST.IP2 and TEST.IP3 becuase the longest match 

2. TEST.IP1 becuase IP address type has higher preference over IP range object

3. TEST.IP4 becuase IP range object has lower preference than IP address object

It may be miisleading becuase defining range 80.80.80.8-9/32 administrator expect that it will matched over entire subnet 80.80.80.0/24 but becuase IP range object has lower preference than IP address type its exactly oposite.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to stcnetteam

‎02-21-2021 08:04 PM

I'm curious if you tested that and confirmed the behavior of longest match?

Go to solution
stcnetteam
Level 1
Level 1
In response to Damien Miller

‎02-21-2021 11:29 PM

 

Hi,

 

Actually our problem started when we had "IP range" object containing two IPs "80.80.80.8-9/32". It had been never matched despite the there were only one overlapped "80.80.80.0/24" IP address object. Then i asked this question why longer matches didint happen between "IP range" and "IP address". ISE documentation explains that type "IP address" has always higher preference over "IP range". Thats why my test provides results exacly as follow:

  1. Compare overlapped "IP address" type objects - the one with /32 wins.
  2. If no match then try match "IP range" object"

As i said it may be sometimes missleading

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents