This community is currently in a read-only state due to a maintenance window. For more info click here

Radius COA on IAP VPN


Whether Radius COA will  working on an IAP VPN solution when the inner IP is source nated on controller ?


If the inner IP is not routable on IAP VPN solution then for dot1x authentication to work we need have the source nat rule configured on default-vpn-role on controller(IAP will be coming up in user-table with role default-vpn-role).

By doing this controller will source nat the radius request and send it to the radius server where controller IP will be acting as the Radius client.

However, Radius COA initiated by server has to be reached directly to Radius clients as per RFC 3576 and source nat will not work. Hence we need to make sure the IAP VPN inner IP is routable so that the inner IP will be acting as Radius client and COA will work.

Version history
Revision #:
2 of 2
Last update:
‎05-28-2020 07:02 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: