Wireless Access

Reply
Frequent Contributor II

Client request with different source IP on radius

Hi,

We have Arbua 7210 WLC, AP 325, Brocade (core) switch, radius (SBR), proxy server and firewall setup for wireless network.

WLC MGMT IP = 10.6.1.1,

For "Employee" SSID(cert. base auth) interface ge-0/0 IP = 172.16.4.1 and

for "Guest" SSID interface ge-0/1 IP = 192.168.50.1

 

Employee and Guest SSID(cert. base auth) network is isolated from each other. Inter vlan routing is disable.

We observed that, radius is getting all client request from WLC MGMT IP.

 

How can i get client request based on respective IP subnet (NAS IP) on radius. so i can create radius client in SBR and assigned authentication policies.(Please find attached network diag.)

 

Thank you..

 

 

 

Aruba

Re: Client request with different source IP on radius

 

By default, the controller, only uses a single interface/IP to send RADIUS requests (located on Advanced tab of Authentication).   If you need to differentiate it for your 2 SSIDs, you can setup duplicate RADIUS server entries for your SBR servers; and define your different NAS IP and/or NAS Identifier per individual server configuration.  You'd then create new Server Groups with these server entries, and apply at the AAA server level.   Keep in mind, routing must work for each NAS IP you are defining to/from RADIUS.

 

See attached.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Frequent Contributor II

Re: Client request with different source IP on radius

Hi Clembo,

As per your suggestion i have added ge-0/1 interface IP into radius server profile as a NAS IP but still we are getting client request from MGMT IP address on radius server.

As discussed with TAC, This may be the issue of AOS version 6.5.4.3

 

Can anybody test NAS IP configuration on AOS 6.5.4.3 and share the result.

 

Thank you...

 

Highlighted
Aruba

Re: Client request with different source IP on radius

Can you check to see if you have a line in your config for the following:

 

ip radius nas-ip [controller IP]

 

If so, this is probably overriding the server specific setting that I recommended.   Try removing this line from the config and see if there is any change in the behavior.

 

Chris

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: