I’m trying to use RADIUS for authentication on a couple dozen Pepwave BRMini’s and BRMAX’s, but I’ve found that whenever the authentication request is passed on to the RADIUS server the client IP address is the Pepwave Balance One that they all form a VPN with.
My problem is that I’d like to give admin rights to the Mini’s and MAX’s but not the VPN concentrator (Balance One), but that doesn’t seem possible when every request is reported as coming from the same IP address.
Is this a known issue, or is there a way around this?
Is this not normal or expected behavior? We have Balances in many offices globally, and they all talk back to the same Windows NPS. The Client is always reported as the Balance that the Mini/Max forms a PepVPN with.
They traverse several firewalls and routers to get to the NPS from every location. It seems highly likely that this is a behavior of the Pepwave devices.
Why not? Doesn’t need to be real or accurate - just needs to show enough for us to work out routing paths to have an idea about whats going on. Without it we have to try an imagine how you have built your network and then take educated guesses.
I suspect the Radius server is on the WAN of the hub/core Balance so its seeing the Balance WAN IP? Radius doesn’t tend to work well over NAT and your remote peer traffic will traverse NAT as it passes out the WAN port. Disable NAT for the VPN and you’ll see remote source IPs rather than the WAN IP of the core balance.
Martin is right. For Radius communication, we need to known the exact routing involved in order we can advice whether the traffics is NATed or being routed via the WAN interface. Supposedly for PepVPN connection, LAN IP for the Balance should be use for the Radius communication.
I appreciate the replies. I’m out of the office for the next few days, but the Pepwave Balance is used purely as a VPN concentrator/terminator on the WAN port that sits in a DMZ. I don’t utilize the LAN side at all. We don’t utilize any other functionality on the Balance aside from BGP and OSPF.
Very rough path for traffic: MiniMax → Balance (WAN side/LAN disabled) → FW → FW → RTR → NPS Server.
As far as I know, we already have NAT turned off so this behavior was a surprise. WeWe don’t NAT on our S2S tunnels either.
I was mainly curious whether this was expected behavior, and you’re saying it’s not that helps. I’ll double check the NAT settings on the Balance.
If I can’t resolve this when I’m back in the office I’ll post a network map.
I’ve attached a simplified network map of a typical scenario with a BR1Max and a Balance One Core talking to our RADIUS server. We have a dozen different physical sites with Balances and a handful of BR1Max’s at each site. The RADIUS server sees all Client IP requests as the IP of the Balance.
I’ve double-checked the Balance and the BR1Max - NAT mode is disabled. We have other tools that reach out to devices behind the BR1Max’s and we have no problem seeing the correct source IPs. The configuration on the Balance and BR1Max is extremely minimal. We use them purely as cellular VPN devices to extend our network. Nothing else is enabled aside from OSPF and SNMP (which see BR1Max device IPs accurately).
Do you mean Peplink Balance IP as shown in the diagram ? I assumed the firewall is connected at the WAN for the Balance device. You can disable the WAN NAT for PepVPN traffics.