Security

Reply
MVP
Posts: 1,408
Registered: ‎10-25-2011

Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

so I am seeing this and the user gets online, then when another user tries again 

ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.17.5.10
INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: SALES Enforcement Profile

Failed auth which is what I would expect.

ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.17.5.10
INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY
INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]

Any ideas?

 

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

Look in the audit/event viewer and see how often it really happens...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

There's nothing in there that's worth mentioning for this.

Forgot to mention that the NAS IP address on the VC was incorrect and did not match the NAD in CPPM. That's why I am floored that authentications were allowed through.

I would expect that all would fail since the NAS IP being sent does not match the NAD. Correct?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

NAS IP does not necessarily equal NAD IP.



NAD IP should be defined as the source address or the RADIUS packet.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

In my case the NAS IP did not equal the NAD IP but I want it to, after we changed it, it started working but some auths were working for some accounts but not others.

See http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Using-AD-Attributes-to-authenticate-users-at-one-location-vs/m-p/246456#M22108 for context as for user auths. National users worked but dealership users did not with the wrong NAS IP address configured.

I'm still learning this behemoth so I apologize in advance.

Where do I define it as the source address?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

If DRP is enabled, the source address will be the VC IP.



If DRP is not enabled, the source address will be the individual IAP IP.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Unknown NadCLient <IP> but still allowed to authenticate?? (EAP-PEAP)

DRP is not enabled

Each location is its own network so the IAP IP can be the same at every site, that is why I am specifying the NAS IP address in the VC (as the VC IPs are the same at every site).
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: