Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

NAS or NAD IP in a master/local configuration

I'm authenticating against a CPPM server and the service rule that I should be hitting includes a device location rule.  When I authenticate, the RADIUS request isn't matching up with the service rule.  In Access Tracker, the computed attributes shows the correct src-ip-address of the local controller that my request is coming from, but the NAD-ip-address is the master controller's IP.  I believe this is what is causing the Device:Location to be incorrect.

 

I need to setup the master and two local controllers to send their own IP address in the RADIUS request so I can differentiate between them when using a service rule in CPPM.  On the controllers, I see a NAS IP address and Source Interface under Security > Authentication > Advanced.  The NAS IP address entered is the master's and the source interface is the local's loopback.  Is the NAS IP what I need to change on each controller?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: NAS or NAD IP in a master/local configuration

[ Edited ]

To answer my own question, yes - the NAS IP address is unique to the controller.  Changing the NAS IP on each of my controllers fixed my issue.

 

(Controller) (config)# ip radius nas-ip x.x.x.x

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: NAS or NAD IP in a master/local configuration

[ Edited ]

you can just do that through CLI on the local?  If you try via the GUI its grayed out, and for good reason I guess as it seems to me that if you wanted a radius server that is being used by all controllers you'd have to configure a number of destinced instances of the same box in different location/controller centric VAP's with unique NAS-IP Radius Servers and then put them into location/controller centic Server Groups...?

 

rif

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: NAS or NAD IP in a master/local configuration

There's a global NAS IP and a server specific NAS IP.  The global NAS IP is controller specific.  The command above is for the global NAS IP, which can also be configured in the GUI: Configuration > Authentication >Advanced.  The server specific NAS IP, if configured, overrides the global NAS IP when the authentication server is used.  The server NAS IP is part of the configuration that's synced between master/local controllers, so it will be greyed out on your locals.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: NAS or NAD IP in a master/local configuration

So in the event one is using the NAS-ID as a specific identifyer for authentication etc the Server NAS-ID should be left blank and each controller issues the global NAS-ID?

 

rif

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: NAS or NAD IP in a master/local configuration

The server-specific NAS IP will override the global NAS IP when in use.  If you wish for the global NAS IP to be used, leave the server-specific NAS IP blank.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: