cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
709
Views
30
Helpful
10
Replies

Setting Public IP as the NAS IP Attribute In the Radius Access Request

faradaynet
Level 1
Level 1

Hello All,

We have a Cisco AireOS 8.3 anchor foreign setup  with Cisco 2500 WLCs which is used for guest client authentication with an external captive portal and radius server yields in the cloud. Radius server should dynamically determine the public ip of controller for CoA messages.

For that purpose :

We are trying to send the public ip in front of WLC to the radius server in the radius access request packets.

We couldn't find a way to set NAS-IP as my public ip.

Whether it is not possible, is it possible to send public ip with the other radius access request attributes?

Thank you in advance.

1 Accepted Solution

Accepted Solutions

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

View solution in original post

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

Does the Public IP visible in the network? In most use cases do NAT as per guided deployment, rather than expose WLC IP address to the Public.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

faradaynet
Level 1
Level 1

Hello @balaji.bandi 

Our Guest client authentication service should send CoA messages to the public ip of the WLC.

We set port forwarding in the firewall in front of the WLC. But there are other deployments. So we are looking for to determine the public IPs dynamically by using radius access request attributes. So we need to indicate the public ip manually in one of the radius access request attributes.

Is there a way to forward some custom values in the radius access requests ?

 

71989-manage-wlc-users-radius-02.png
IN WLC enable use management  interface, then in AAA config this Management interface as WLC IP not the public IP after NAT 
there are two IP 
one in Packet header which is NAT 
other ip inisde AAA packet which is not NAT <<- and if you config it will override the first one.

faradaynet
Level 1
Level 1

@MHM Cisco WorldOk I got it. We send internal management IP of the WLC as Nas-ip. Also it will be the interface of radius communication.

I want to know that can I send some custom values by using any of access request attributes?

Is it possible to send a manually written IP in an access request packet ?

It matters for us to process radius access request content and  fetch the public ip. Otherwise it requires further development.

Thank you in advance

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

faradaynet
Level 1
Level 1

I guess it is the only method to get public ip or some custom values.

Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco.

Thank you very much. @ammahend

you are welcome bud.

-hope this helps-

Rich R
VIP
VIP

Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco

Wrong!  That's what @ammahend has just explained - Cisco allows you to set it to anything you want.

Hello @Rich R

I think @ammahend 's message that you are referring to is about NAS-ID not the NAS-IP.

Thank you.

Sorry you're right, point taken, but your question was whether there is any configurable field you could use for that info instead which is the NAS-ID.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: