Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4381
Views
0
Helpful
2
Replies

Use NAS-IP Address to look up network device in ISE instead of source address

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎07-12-2019 06:58 AM

Hi all,

 

to my knowledge, currently ISE uses per default the source ip address of the RADIUS-request to look up the network device. This can cause issues if there are NAT-devices between the network access device and the ISE.

 

Is there a known way to use the NAS-IP address within the RADIUS-packet to look up the network device instead?

 

Roland

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎07-17-2019 04:42 PM

Hi rmueller@cisco.com 

 

Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing.  It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd.  ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived. 

 

Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-13-2019 08:30 PM

Hi

I believe you're talking about wired devices.
What devices' models are you using?

Here a link that might help:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎07-17-2019 04:42 PM

Hi rmueller@cisco.com 

 

Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing.  It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd.  ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived. 

 

Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents