Solved: Re: Setting Public IP as the NAS IP Attribute In the Radius Access Req

faradaynet · ‎08-24-2022

Hello All,

We have a Cisco AireOS 8.3 anchor foreign setup with Cisco 2500 WLCs which is used for guest client authentication with an external captive portal and radius server yields in the cloud. Radius server should dynamically determine the public ip of controller for CoA messages.

For that purpose :

We are trying to send the public ip in front of WLC to the radius server in the radius access request packets.

We couldn't find a way to set NAS-IP as my public ip.

Whether it is not possible, is it possible to send public ip with the other radius access request attributes?

Thank you in advance.

ammahend · ‎08-25-2022

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

View solution in original post

balaji.bandi · ‎08-24-2022

Does the Public IP visible in the network? In most use cases do NAT as per guided deployment, rather than expose WLC IP address to the Public.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

faradaynet · ‎08-24-2022

Hello @balaji.bandi

Our Guest client authentication service should send CoA messages to the public ip of the WLC.

We set port forwarding in the firewall in front of the WLC. But there are other deployments. So we are looking for to determine the public IPs dynamically by using radius access request attributes. So we need to indicate the public ip manually in one of the radius access request attributes.

Is there a way to forward some custom values in the radius access requests ?

MHM Cisco World · ‎08-24-2022

IN WLC enable use management interface, then in AAA config this Management interface as WLC IP not the public IP after NAT
there are two IP
one in Packet header which is NAT
other ip inisde AAA packet which is not NAT <<- and if you config it will override the first one.

faradaynet · ‎08-24-2022

@MHM Cisco WorldOk I got it. We send internal management IP of the WLC as Nas-ip. Also it will be the interface of radius communication.

I want to know that can I send some custom values by using any of access request attributes?

Is it possible to send a manually written IP in an access request packet ?

It matters for us to process radius access request content and fetch the public ip. Otherwise it requires further development.

Thank you in advance

ammahend · ‎08-25-2022

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

faradaynet · ‎08-31-2022

I guess it is the only method to get public ip or some custom values.

Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco.

Thank you very much. @ammahend

ammahend · ‎08-31-2022

you are welcome bud.

-hope this helps-

Rich R · ‎08-31-2022

> Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco

Wrong! That's what @ammahend has just explained - Cisco allows you to set it to anything you want.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 - 2800/3800/4800 series throughput degraded after upgrading to 8.10.181.0/17.3.6
- The fix for CSCwd37092 is in 8.10.183.0 or rather 8.10.185.0 and for 9800 17.3.6+APSP2 or rather 17.3.7
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0/8.10.185.0 and 17.3.6+APSP5/17.3.7
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R

faradaynet · ‎09-02-2022

Hello @Rich R

I think @ammahend 's message that you are referring to is about NAS-ID not the NAS-IP.

Thank you.

Rich R · ‎09-02-2022

Sorry you're right, point taken, but your question was whether there is any configurable field you could use for that info instead which is the NAS-ID.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 - 2800/3800/4800 series throughput degraded after upgrading to 8.10.181.0/17.3.6
- The fix for CSCwd37092 is in 8.10.183.0 or rather 8.10.185.0 and for 9800 17.3.6+APSP2 or rather 17.3.7
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0/8.10.185.0 and 17.3.6+APSP5/17.3.7
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R

Setting Public IP as the NAS IP Attribute In the Radius Access Request