Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
5
Helpful
3
Replies

Profile conflict between 2 different NAD profiles.

Go to solution
shubhampatki1994
Level 1
Level 1

‎10-21-2021 04:25 PM

Hello All,

 

We have ISE 2.2 setup where a default device profile of Cisco is used so that all the WLCs used at remote locations get access directly.

 

We also use Aruba iAPs that are configured in the Network Devices list.

 

My question is what happens in case we add an Aruba profile with an IP that is already present and working under Cisco default device profile.  

 

 

 

TIA.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to shubhampatki1994

‎10-21-2021 08:47 PM

Ok, so you have the Network Devices > Default Device using the Cisco Network Device Profile (NDP) that many of your Cisco WLCs are using as they are not statically configured as Network Devices using IP/Subnet. You want to know what will happen if someone configures a new Network Device for an Aruba AP (using the Aruba NDP) that uses the same IP address as one of the WLCs.

The NDP tells ISE what AV pairs to use for RADIUS functions (like ACLs, CoA, etc). ISE will match a more specific IP/Subnet over the Default Device so, if the above scenario happens, the next time the Cisco WLC sends a RADIUS request, ISE will respond with the Aruba AV pairs. This will likely break most of the functions on the WLC as it won't get the correct responses.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-21-2021 06:46 PM

I'm not sure if I understand the question correctly, but the IP address/subnet is the key identifier for Network Devices. You cannot configure a second network device that has an overlapping IP/subnet with one that is already configured; ISE will throw an error if you try.

0 Helpful

Go to solution
shubhampatki1994
Level 1
Level 1
In response to Greg Gibbs

‎10-21-2021 06:53 PM

Hi Greg,

 

That is correct, An error is displayed when we use the same IP for different profiles. The scenario we are facing is that the Remote locations have Cisco WLCs that use a default device profile as there were loads of these WLCs so a simple default profile was used. But now we are migrating from Cisco WLC to Aruba iAPs. Now we have to create individual profile for Aruba as only one default profile can be created and that is tied to Cisco WLC as of now. My query is what will happen in case someone puts an IP in Aruba profile that is being already used on a Cisco WLC.

 

Hope that sums up the scenario a bit.

 

Regards 

Shubham

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to shubhampatki1994

‎10-21-2021 08:47 PM

Ok, so you have the Network Devices > Default Device using the Cisco Network Device Profile (NDP) that many of your Cisco WLCs are using as they are not statically configured as Network Devices using IP/Subnet. You want to know what will happen if someone configures a new Network Device for an Aruba AP (using the Aruba NDP) that uses the same IP address as one of the WLCs.

The NDP tells ISE what AV pairs to use for RADIUS functions (like ACLs, CoA, etc). ISE will match a more specific IP/Subnet over the Default Device so, if the above scenario happens, the next time the Cisco WLC sends a RADIUS request, ISE will respond with the Aruba AV pairs. This will likely break most of the functions on the WLC as it won't get the correct responses.

Customers Also Viewed These Support Documents