07-12-2019 06:58 AM
Hi all,
to my knowledge, currently ISE uses per default the source ip address of the RADIUS-request to look up the network device. This can cause issues if there are NAT-devices between the network access device and the ISE.
Is there a known way to use the NAS-IP address within the RADIUS-packet to look up the network device instead?
Roland
Solved! Go to Solution.
07-17-2019 04:42 PM
Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing. It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd. ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.
Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.
07-13-2019 08:30 PM
07-17-2019 04:42 PM
Nope - the NAS-IP-Address is not used in ISE's inbound RADIUS packet processing. It's one of the reason's why Source NAT (SNAT) NAD breaks CoA, because ISE will never be able to perform the CoA to a device whose IP address has been source NAT'd. ISE can send the CoA out, but the NAD's reply will be a SNAT'd UDP packet ... ISE will think the ACK never arrived.
Craig Hyps famously had a phrase "SNAT for NAD is bad - SNAT for CoA is OK" - but you have to understand the IP packet flow to know what that means.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide