The Radius NAS IP and the method by which VCE chooses the NAS IP
Article ID: 370787
Updated On:
Products
Issue/Introduction
RADIUS NAS IP refers to the Network Access Server IP address in the context of the RADIUS (Remote Authentication Dial-In User Service) protocol. It is the IP address assigned to the network device that acts as an intermediary between the clients (supplicants) and the RADIUS server. The NAS IP address is used by the RADIUS server to identify the network access device that is forwarding authentication and authorization requests on behalf of the clients. When a supplicant initiates a connection request, the NAS IP address is included in the RADIUS packet sent to the RADIUS server.
Sometimes, particularly during the initial deployment of the authentication, customer may find Radius authentication fails even if the credentials are correctly entered. In the capture file customer may find the Radius server replies Access-Reject right after receiving Access-Request. However, if a customer authenticate the credentials on the radius server itself with IP 127.0.0.1, it works.
Environment
All supported VMware by Broadcom SD-WAN version with Radius Authentication enabled on the LAN port.
Cause
This is very likely the NAS IP is not correctly configured in the Radius server.
Resolution
In Authentication section on the VCO, customer can choose the Source Interface, VCE not only uses this IP of this interface as the source IP address of Aceess-Requset message, but also use this IP as the NAS-IP address in the "Attribute Value Pairs" in the Access-Request message. So this IP must be configured as NAS-IP in the Radius server configuration.
VLAN1 IP is 172.26.201.81:
VCE use this IP as both source IP and NAS-IP address:
Feedback
