Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

NAS or NAD IP in a master/local configuration

This thread has been viewed 27 times

  • 1.  NAS or NAD IP in a master/local configuration

    Posted Feb 04, 2013 10:59 AM

    I'm authenticating against a CPPM server and the service rule that I should be hitting includes a device location rule.  When I authenticate, the RADIUS request isn't matching up with the service rule.  In Access Tracker, the computed attributes shows the correct src-ip-address of the local controller that my request is coming from, but the NAD-ip-address is the master controller's IP.  I believe this is what is causing the Device:Location to be incorrect.

     

    I need to setup the master and two local controllers to send their own IP address in the RADIUS request so I can differentiate between them when using a service rule in CPPM.  On the controllers, I see a NAS IP address and Source Interface under Security > Authentication > Advanced.  The NAS IP address entered is the master's and the source interface is the local's loopback.  Is the NAS IP what I need to change on each controller?



  • 2.  RE: NAS or NAD IP in a master/local configuration
    Best Answer

    Posted Feb 04, 2013 12:54 PM

    To answer my own question, yes - the NAS IP address is unique to the controller.  Changing the NAS IP on each of my controllers fixed my issue.

     

    (Controller) (config)# ip radius nas-ip x.x.x.x



  • 3.  RE: NAS or NAD IP in a master/local configuration

    Posted Mar 19, 2014 03:34 PM

    you can just do that through CLI on the local?  If you try via the GUI its grayed out, and for good reason I guess as it seems to me that if you wanted a radius server that is being used by all controllers you'd have to configure a number of destinced instances of the same box in different location/controller centric VAP's with unique NAS-IP Radius Servers and then put them into location/controller centic Server Groups...?

     

    rif



  • 4.  RE: NAS or NAD IP in a master/local configuration

    Posted Mar 19, 2014 10:21 PM

    There's a global NAS IP and a server specific NAS IP.  The global NAS IP is controller specific.  The command above is for the global NAS IP, which can also be configured in the GUI: Configuration > Authentication >Advanced.  The server specific NAS IP, if configured, overrides the global NAS IP when the authentication server is used.  The server NAS IP is part of the configuration that's synced between master/local controllers, so it will be greyed out on your locals.



  • 5.  RE: NAS or NAD IP in a master/local configuration

    Posted Mar 19, 2014 10:33 PM

    So in the event one is using the NAS-ID as a specific identifyer for authentication etc the Server NAS-ID should be left blank and each controller issues the global NAS-ID?

     

    rif



  • 6.  RE: NAS or NAD IP in a master/local configuration

    Posted Mar 19, 2014 10:49 PM

    The server-specific NAS IP will override the global NAS IP when in use.  If you wish for the global NAS IP to be used, leave the server-specific NAS IP blank.