08-24-2022 12:17 AM - edited 08-24-2022 12:21 AM
Hello All,
We have a Cisco AireOS 8.3 anchor foreign setup with Cisco 2500 WLCs which is used for guest client authentication with an external captive portal and radius server yields in the cloud. Radius server should dynamically determine the public ip of controller for CoA messages.
For that purpose :
We are trying to send the public ip in front of WLC to the radius server in the radius access request packets.
We couldn't find a way to set NAS-IP as my public ip.
Whether it is not possible, is it possible to send public ip with the other radius access request attributes?
Thank you in advance.
Solved! Go to Solution.
08-25-2022 07:55 AM - edited 08-25-2022 07:55 AM
if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request
(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1
Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES
Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94
08-24-2022 12:42 AM
Does the Public IP visible in the network? In most use cases do NAT as per guided deployment, rather than expose WLC IP address to the Public.
08-24-2022 12:56 AM
Hello @balaji.bandi
Our Guest client authentication service should send CoA messages to the public ip of the WLC.
We set port forwarding in the firewall in front of the WLC. But there are other deployments. So we are looking for to determine the public IPs dynamically by using radius access request attributes. So we need to indicate the public ip manually in one of the radius access request attributes.
Is there a way to forward some custom values in the radius access requests ?
08-24-2022 02:27 AM
IN WLC enable use management interface, then in AAA config this Management interface as WLC IP not the public IP after NAT
there are two IP
one in Packet header which is NAT
other ip inisde AAA packet which is not NAT <<- and if you config it will override the first one.
08-24-2022 03:03 AM - edited 08-24-2022 03:06 AM
@MHM Cisco WorldOk I got it. We send internal management IP of the WLC as Nas-ip. Also it will be the interface of radius communication.
I want to know that can I send some custom values by using any of access request attributes?
Is it possible to send a manually written IP in an access request packet ?
It matters for us to process radius access request content and fetch the public ip. Otherwise it requires further development.
Thank you in advance
08-25-2022 07:55 AM - edited 08-25-2022 07:55 AM
if you are not using NAS-ID already, then you can set it to whatever value you like (your public IP), under AP group, in this example I set it to 1.1.1.1 to include it as part of access request
(Cisco Controller) >test aaa radius username test password test wlan-id 1 apgroup BES service-type 1
Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... BES
Attributes Values
---------- ------
User-Name 0x74657374 (1952805748)
Called-Station-Id 00-00-00-00-00-00:TEST
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 192.168.132.2
NAS-Identifier 1.1.1.1
Airespace / WLAN-Identifier 0x00000001 (1)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id c0a884020000003d63078bc8
Acct-Session-Id 63078bc8/00:11:22:33:44:55/94
08-31-2022 12:50 AM - edited 08-31-2022 12:51 AM
I guess it is the only method to get public ip or some custom values.
Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco.
Thank you very much. @ammahend
08-31-2022 10:15 AM
you are welcome bud.
08-31-2022 08:22 AM
> Some vendors, such as Aruba, give option to set custom NAS-IP. But I see, it is not for Cisco
Wrong! That's what @ammahend has just explained - Cisco allows you to set it to anything you want.
09-02-2022 03:07 AM - edited 09-02-2022 03:11 AM
09-02-2022 04:35 AM
Sorry you're right, point taken, but your question was whether there is any configurable field you could use for that info instead which is the NAS-ID.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: