07-12-2019 06:58 AM
Hi all,
to my knowledge, currently ISE uses per default the source ip address of the RADIUS-request to look up the network device. This can cause issues if there are NAT-devices between the network access device and the ISE.
Is there a known way to use the NAS-IP address within the RADIUS-packet to look up the network device instead?
Roland
Solved! Go to Solution.
07-17-2019 04:42 PM
Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing. It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd. ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.
Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.
07-13-2019 08:30 PM
07-17-2019 04:42 PM
Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing. It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd. ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.
Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: