A strange public IP in NAS-IP-Address in RADIUS Access-Request

SteveWu
Conversationalist

A strange public IP in NAS-IP-Address in RADIUS Access-Request

My Customer has a test environment with an AP MR33 and an Aruba RADIUS server to perform 802.1x authentication to wireless clients. RADIUS server is in the same local LAN with MR33 and can be reachable from MR33's LAN IP.  And there is no splash page enable. When testing this RADIUS, I got a message that the AP is failed to connect. I can confirm that the share secret is correctly configured and the AP's LAN IP has been added in client list in Aruba. Also I've tried packets capturing in AP's wired interface and I can see AP has sent out access-request to RADIUS and received access-reject from it. In the captured access-request packet I find an AVP nas-ip-address with a value 6.148.146.85, which is neither the meraki cloud IP nor the AP's LAN IP.  Did anybody meet this before? I'd like to verify some questions below:

 

1. Where does this public IP address come from? or why it appears in nas-ip-address?

2. Is it the cause that makes RADIUS reject AP's access?

3 REPLIES 3
cta102
Building a reputation

Well it's certainly an interesting ip address (http://whois.domaintools.com/6.148.146.85)

 

The RADIUS server logs should state the reason for the rejection, if it's due to the source address not being in an approved subnet then it should log the address the RADIUS request originated from.

 

This certaqinly caught me out when I used the test authentication from the Meraki dashboard

 

 

SteveWu
Conversationalist

Just found that the 6.x.x.x address can be seen only if using the test button on dashboard. When using a real client as a supplicant, the normal LAN ip address of AP is filled in NAS-IP-ADDRESS. 

cta102
Building a reputation

Yeah the test button results in at test from a cloud address, which as I said was confusing for me.

Ideally I would rather see the dashboard instructing a local device to make the request, but I do understand why it makes sense to make the request from the back end systems.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels