cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1685
Views
1
Helpful
4
Replies

Solved: Auth Proxy on Ubuntu not passing nas_ip to external RADIUS server

marcairn
Cisco Employee
Cisco Employee

All,

I have a new install on Ubuntu 18.04, version 2.10.1. Authentication works with primary auth to RADIUS server, including passing A/V pairs back to NAS. RADIUS server sees NAS IP of Ubuntu server, even with conf file using nas_ip=x.x.x.x. I built the conf file without this value originally for testing and then added it to test NAS identification on the RADIUS Server. Service and server have been restarted.

Snip from conf file:

[radius_client]
host=10.0.0.100
secret=**********
pass_through_all=true
nas_ip=192.168.2.4
retry_wait=4

Snip from log file when service starts, which appears to show it parsing correctly:

2018-10-02T23:42:11+0000 [-] RADIUS Client Module Configuration:
2018-10-02T23:42:11+0000 [-] {'debug': 'True',
         'host': '10.0.0.100',
         'nas_ip': '192.168.2.4',
         'pass_through_all': 'true',
         'retry_wait': '9',
         'secret': '*****'}

From my AAA server (Cisco ISE) authentication log:

NAS IPv4 Address 10.0.0.206

Any thoughts? Am I missing something?

Thanks,
Mark

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

Are you trying to preserve the nas ip passed in from the radius client request to the Duo authentication proxy? If so, be sure to set the pass through option in your [radius_server_auto] section as well.

Duo, not DUO.

marcairn
Cisco Employee
Cisco Employee

Thank you. That helped. I had pass_through_all on the RADIUS Client side for AV pairs being sent back in response, so those all worked. I did not have it in the RADIUS Automatic portion of the config for the request. Enabling this option and setting “true” started passing through attributes.

Unfortunately, based on a packet capture, my RADIUS server does not appear to be parsing attribute 4 (NAS-IP-ADDRESS) properly and is falling back to identify the NAS as the IP of the Duo Proxy. That means some digging on my side.

Thanks for the time.

Mark

Did you ever find a solution?

I asked for a feature request to allow forwarding of the NAS IP. I believe, at this time, the Proxy always rewrites the source NAS IP. You can key on other attributes or consider looping through for authentication, such as VPN to ISE to Duo back to ISE to AD. In that case, looping back let’s you use AD through ISE instead of from the Duo Auth proxy.

Quick Links