Solved: Re: Setting Public IP as the NAS IP Attribute In the Radius Access Req

faradaynet · ‎08-24-2022

Hello All,

We have a Cisco AireOS 8.3 anchor foreign setup with Cisco 2500 WLCs which is used for guest client authentication with an external captive portal and radius server yields in the cloud. Radius server should dynamically determine the public ip of controller for CoA messages.

For that purpose :

We are trying to send the public ip in front of WLC to the radius server in the radius access request packets.

We couldn't find a way to set NAS-IP as my public ip.

Whether it is not possible, is it possible to send public ip with the other radius access request attributes?

Thank you in advance.

ammahend · ‎08-25-2022

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

View solution in original post

balaji.bandi · ‎08-24-2022

Does the Public IP visible in the network? In most use cases do NAT as per guided deployment, rather than expose WLC IP address to the Public.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

faradaynet · ‎08-24-2022

Hello @balaji.bandi

Our Guest client authentication service should send CoA messages to the public ip of the WLC.

We set port forwarding in the firewall in front of the WLC. But there are other deployments. So we are looking for to determine the public IPs dynamically by using radius access request attributes. So we need to indicate the public ip manually in one of the radius access request attributes.

Is there a way to forward some custom values in the radius access requests ?

MHM Cisco World · ‎08-24-2022

IN WLC enable use management interface, then in AAA config this Management interface as WLC IP not the public IP after NAT
there are two IP
one in Packet header which is NAT
other ip inisde AAA packet which is not NAT <<- and if you config it will override the first one.

faradaynet · ‎08-24-2022

@MHM Cisco WorldOk I got it. We send internal management IP of the WLC as Nas-ip. Also it will be the interface of radius communication.

I want to know that can I send some custom values by using any of access request attributes?

Is it possible to send a manually written IP in an access request packet ?

It matters for us to process radius access request content and fetch the public ip. Otherwise it requires further development.

Thank you in advance

ammahend · ‎08-25-2022

if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request

(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES

Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94

-hope this helps-

faradaynet · ‎08-31-2022

I guess it is the only method to get public ip or some custom values.

Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco.

Thank you very much. @ammahend

ammahend · ‎08-31-2022

you are welcome bud.

-hope this helps-

Rich R · ‎08-31-2022

> Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco

Wrong! That's what @ammahend has just explained - Cisco allows you to set it to anything you want.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

faradaynet · ‎09-02-2022

Hello @Rich R

I think @ammahend 's message that you are referring to is about NAS-ID not the NAS-IP.

Thank you.

Rich R · ‎09-02-2022

Sorry you're right, point taken, but your question was whether there is any configurable field you could use for that info instead which is the NAS-ID.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Setting Public IP as the NAS IP Attribute In the Radius Access Request

DNAC: IP Access Control の無効化("Allow all IP address to connect")手順

RADIUSのAuthenticator headerとMessage-Authenticator attributeに関して

RADIUSのUser-Password attributeに関して

Nexus Dashboard: ip address / ip neigh コマンドについて

Secure Access: How to