
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2016 04:40 PM
Hi Team,
My customer has asked whether we have considered or have the possibility in the future to identify network access devices by the IP contained within the Radius packet, as opposed to the layer 3 source IP address. This would allow for a nat to occur when a customer is using a load balancer between their PSN's and NAD's. Had this been discussed at all?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2016 12:27 PM
The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP. You can certainly load balance based on the source IP, even if Source NATted.
Two caveats of LB SNAT on NAD source IP include:
- ISE displays the LB as the network access device (since that is the source IP seen by PSN). Therefore, you lose some visibility without specifically looking at the NAS IP Address field.
- ISE sends CoA based on the source IP received and therefore send CoA to LB SNAT IP; LB ends up dropping the packet.
We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation. Please reach out to your account SE to discuss roadmap information.
Regards,
Craig

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2016 10:13 AM
HI Patrick,
If you are referring to NAS IP address, this is currently available as attribute that can be added to create a policy set criteria.
Based on the policy set criteria, authentication and authorization policies are applied.
In fact, ISE has tons of attributes that can be used as conditions to create a policy set criteria including Device IP address etc. Here are the attributes that ISE supports currently for network access.
Thanks
Krishnan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2016 12:27 PM
The issue is not so much the NAT of the source IP of NAD, but rather the fact that CoA is initiated by PSN and is based on the source IP. You can certainly load balance based on the source IP, even if Source NATted.
Two caveats of LB SNAT on NAD source IP include:
- ISE displays the LB as the network access device (since that is the source IP seen by PSN). Therefore, you lose some visibility without specifically looking at the NAS IP Address field.
- ISE sends CoA based on the source IP received and therefore send CoA to LB SNAT IP; LB ends up dropping the packet.
We have a priority enhancement to perform CoA based on NAS-IP-Address to get around this limitation. Please reach out to your account SE to discuss roadmap information.
Regards,
Craig
