Solved: Overlapping NAD IPs

stcnetteam · ‎02-10-2021

Hi,

I have noted recently that ISE allows to create two overlapped NAD objects in terms of IP. Does anyone have an idea how the matching process looks like then? In our company /24 object had preference causing issues. I am wondering if this is anywhere documented.

See example below:

Mohammed al Baqari · ‎02-10-2021

Hi,

So the more specific NAD will take precedence when the request comes in.
NADs with no specific IPs in ISE DB will match the subnet NAD.

Quoted:

*Note *If device A has an IP address range defined, you can configure
another device B with an individual address from the range that is defined
in device A.
------------------------------

When Cisco ISE receives a RADIUS request and tries to match the request
against a network device, it does the following:

*a. *It looks for a specific IP address that matches the one in the request.

*b. *It looks up the ranges to see if the IP address in the request falls
within the range that is specified.

*c. *If both of these fail, it uses the default device definition (if
defined) to process the request.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

**** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎02-10-2021

Hi,

So the more specific NAD will take precedence when the request comes in.
NADs with no specific IPs in ISE DB will match the subnet NAD.

Quoted:

*Note *If device A has an IP address range defined, you can configure
another device B with an individual address from the range that is defined
in device A.
------------------------------

When Cisco ISE receives a RADIUS request and tries to match the request
against a network device, it does the following:

*a. *It looks for a specific IP address that matches the one in the request.

*b. *It looks up the ranges to see if the IP address in the request falls
within the range that is specified.

*c. *If both of these fail, it uses the default device definition (if
defined) to process the request.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

**** please remember to rate useful posts

stcnetteam · ‎02-21-2021

OK. I think concept is as follow.

Lets assume there are 4 NAD objects as follow:

TEST.IP1 = 80.80.80.0/24 (Type IP address)

TEST.IP2 = 80.80.80.30/32 (Type IP address)

TEST.IP3 = 80.80.80.16/32 (Type IP address)

TEST.IP4 = 80.80.80.8-9/32 (Type IP range)

Matching order will be:

1. TEST.IP2 and TEST.IP3 becuase the longest match

2. TEST.IP1 becuase IP address type has higher preference over IP range object

3. TEST.IP4 becuase IP range object has lower preference than IP address object

It may be miisleading becuase defining range 80.80.80.8-9/32 administrator expect that it will matched over entire subnet 80.80.80.0/24 but becuase IP range object has lower preference than IP address type its exactly oposite.

Damien Miller · ‎02-21-2021

I'm curious if you tested that and confirmed the behavior of longest match?

stcnetteam · ‎02-21-2021

Hi,

Actually our problem started when we had "IP range" object containing two IPs "80.80.80.8-9/32". It had been never matched despite the there were only one overlapped "80.80.80.0/24" IP address object. Then i asked this question why longer matches didint happen between "IP range" and "IP address". ISE documentation explains that type "IP address" has always higher preference over "IP range". Thats why my test provides results exacly as follow:

Compare overlapped "IP address" type objects - the one with /32 wins.
If no match then try match "IP range" object"

As i said it may be sometimes missleading