MX - NAS IP 127.0.0.1

RaphaelL
Kind of a big deal
Kind of a big deal

MX - NAS IP 127.0.0.1

Hi ,


We are running MX18.107.6 on maybe 1000-1200 MX. I just noticed that the MX is sending the RADIUS packets with a NAS-IP of 127.0.0.1.  I don't remember if that is expected... 

 

Anyone not running MX18 and could check real quick for me ?

 

RaphaelL_0-1700767664188.png

 

 

I was expecting the MX to fill the NAS-IP with the same IP that it uses to source the RADIUS packets ( the highest vlan )

 

 

Cheers !

17 REPLIES 17
PhilipDAth
Kind of a big deal
Kind of a big deal

Gulp!

PhilipDAth
Kind of a big deal
Kind of a big deal

What is RADIUS being used for?  Wired 802.1x?  WiFi?  Client VPN?

RaphaelL
Kind of a big deal
Kind of a big deal

Oops ! That screenshot is from wired 802.1X in hybrid-mode ( not that It should matter 802.1x vs hybrid ) 

RaphaelL
Kind of a big deal
Kind of a big deal

This has been brought to the attention of our Development Team before and they have informed us that this is expected in newer firmwares to comply with RFC standards. RFC 2865 states "that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret." essentially saying that the NAS-IP shouldn't be used for authentication decisions. The source IP of the access request packet must be used. The RADIUS server must be configured to filter and process the RADIUS access request packets based on the source IP of the packet (the IP of the the highest VLAN ID), not the NAS-IP.

https://datatracker.ietf.org/doc/html/rfc2865

 

Response from Support.  ugh

RaphaelL
Kind of a big deal
Kind of a big deal

They should have mentionned the first part of the RFC : 

 

 This Attribute indicates the identifying IP Address of the NAS
      which is requesting authentication of the user, and SHOULD be
      unique to the NAS within the scope of the RADIUS server. NAS-IP-
      Address is only used in Access-Request packets.  Either NAS-IP-
      Address or NAS-Identifier MUST be present in an Access-Request
      packet.

I don't find that 1200 MX reporting 127.0.0.1 is that unique. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I really can't believe they are taking that line.  This will have tremendous blow back as it is a breaking changing.

 

NAS-IP is a well understood and accepted field, and they simply can not make a unilateral change like this.

RaphaelL
Kind of a big deal
Kind of a big deal

I'm trying to understand the 'gain' from going that way

alemabrahao
Kind of a big deal
Kind of a big deal

Any chance of using Local Authentication in some configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

unfortunatly no. We are leveraging ISE and PXGrid and other features.

Got it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Have you validated whether this also occurs in other versions of MX?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Support said : "that this is expected in newer firmwares"  , but I don't know since when. 

 

We have upgraded months ago. I would have to try maybe 16 or 17. But I can't do it at the moment.

I see a few Support cases in which customers asked the same question all the way back to 2017. That tells me it's been this way for a long time and not just newer firmware.

RaphaelL
Kind of a big deal
Kind of a big deal

To be honest , we don't have a lot of clients directly connected to MXs so I never really looked at that part. 

 

But I know that the behavior is not the same on the MS. So you might be right, that behavior is probably the same for a long time. 

cmonk
Comes here often

It is expected.  MX sourced Ethernet requests come with NAS IP 127.0.0.1 and Wireless requests come with NAS IP 0.0.0.0.  To work around this issue we define a high vlan number for management and define our network devices in ISE with this IP address.

RaphaelL
Kind of a big deal
Kind of a big deal

Yes I get it that it is expected,  but still very odd. Basic things like that shouldn't behave differently from MX, MS ,MR imo. That annoys me a bit.

Just because it doesn't comply with the RFC?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels