- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX - NAS IP 127.0.0.1
Hi ,
We are running MX18.107.6 on maybe 1000-1200 MX. I just noticed that the MX is sending the RADIUS packets with a NAS-IP of 127.0.0.1. I don't remember if that is expected...
Anyone not running MX18 and could check real quick for me ?
I was expecting the MX to fill the NAS-IP with the same IP that it uses to source the RADIUS packets ( the highest vlan )
Cheers !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gulp!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is RADIUS being used for? Wired 802.1x? WiFi? Client VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oops ! That screenshot is from wired 802.1X in hybrid-mode ( not that It should matter 802.1x vs hybrid )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has been brought to the attention of our Development Team before and they have informed us that this is expected in newer firmwares to comply with RFC standards. RFC 2865 states "that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret." essentially saying that the NAS-IP shouldn't be used for authentication decisions. The source IP of the access request packet must be used. The RADIUS server must be configured to filter and process the RADIUS access request packets based on the source IP of the packet (the IP of the the highest VLAN ID), not the NAS-IP.
https://datatracker.ietf.org/doc/html/rfc2865
Response from Support. ugh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They should have mentionned the first part of the RFC :
This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP- Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet.
I don't find that 1200 MX reporting 127.0.0.1 is that unique.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really can't believe they are taking that line. This will have tremendous blow back as it is a breaking changing.
NAS-IP is a well understood and accepted field, and they simply can not make a unilateral change like this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to understand the 'gain' from going that way
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any chance of using Local Authentication in some configuration?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unfortunatly no. We are leveraging ISE and PXGrid and other features.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you validated whether this also occurs in other versions of MX?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support said : "that this is expected in newer firmwares" , but I don't know since when.
We have upgraded months ago. I would have to try maybe 16 or 17. But I can't do it at the moment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see a few Support cases in which customers asked the same question all the way back to 2017. That tells me it's been this way for a long time and not just newer firmware.
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be honest , we don't have a lot of clients directly connected to MXs so I never really looked at that part.
But I know that the behavior is not the same on the MS. So you might be right, that behavior is probably the same for a long time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is expected. MX sourced Ethernet requests come with NAS IP 127.0.0.1 and Wireless requests come with NAS IP 0.0.0.0. To work around this issue we define a high vlan number for management and define our network devices in ISE with this IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I get it that it is expected, but still very odd. Basic things like that shouldn't behave differently from MX, MS ,MR imo. That annoys me a bit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just because it doesn't comply with the RFC?
Please, if this post was useful, leave your kudos and mark it as solved.