Wireless Access

Reply
Occasional Contributor II

Cluster NAS-IP and NAS-ID differences

I have a question on cluster some controllers together in regards to the nas-ip and nas-id.

 

Here is a current setup with IP's and VLAN's

3 controller cluster using the IP's 10.10.10.2, 3 and 4 on vlan 10
1 VRRP created as 10.10.10.10 with all 3 controllers using that for like AP discovery


I thought that was all that really needed. I was set up for L2 connectivity and it was all good.

 

I'm reading the ACMP book and was reading on using VRRP addresses for RADIUS COA and all that instead of the phyiscal. I understand the concept of it and would like to implement it in my production for better failover/redundancy.

 

So in my lab I added in a new vlan and new IP's that would be used for a the VRRP for RADIUS requests.

 

controller 10.10.10.2 priority 128 mcast-vlan 0 vrrp-ip 10.10.20.2 vrrp-vlan 20 group 0
controller 10.10.10.3 priority 128 mcast-vlan 0 vrrp-ip 10.10.20.3 vrrp-vlan 20 group 0
controller 10.10.10.4 priority 128 mcast-vlan 0 vrrp-ip 10.10.20.4 vrrp-vlan 20 group 0

 

Now under the authenticating server, I don't have any entries added in for the NAS ID or IP. As well as under the Radius Client section i do not have any NAS IP address or NAS IP source interfaces configured.

On the authenticating server side only the 10.10.10.x addresses are added in. It knows nothing of the 10.10.20.x VRRP addresses. On my client i attempted to connect to the network and it went through and it showed my NAS IP was a 10.10.20.x (VRRP) address.

 

In the book (so far) it doesn't really distinguish between the NAS IP and NAS ID. Can someone please help me understand the difference between the two? If my authenticating server doesn't know of that VRRP IP, how can it authenticate using the physical address? Does it not need to know about the new VRRP subnets? It should be authenticating via the VRRP for redundancy. Does it does this all automatically once the cluster commands are updated with the VRRP-ID and VRRP-VLAN? Does anything else need to be updated and configured?


In the book it says the following. "Figure 6-22 shows a packet cpature, from NAS IP address 10.1.10.201. This is a RADIUS request from MC2 (10.1.10.101). Notice that the NAS-IP is the VRRP IP address 10.1.10.201. The RADIUS client IP should be the real IP of the MC's. "
In that packet capture snippet it shows the NAS IP as the VRRP and the NAS ID as the phyiscal address.

Guru Elite

Re: Cluster NAS-IP and NAS-ID differences

NAS-ID is optional. NAS-IP is required and should match the source IP of the request in relation to the RADIUS server.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Cluster NAS-IP and NAS-ID differences

So why would my authentication be successful from on that server if the 10.10.20.x VRRP addresses aren't added in?  In the log of that server it showed the NAS IP as that 10.10.20.x subnet. But in theory, that 10.10.20.x subnet should be configured on that authenticating server?

Once the VRRP IP is configured on the controller cluster command, it automatically becomes the RADIUS IP source for that controller?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: