topic Radius over Sito-to-Site VPN in Network Access Control

Radius over Sito-to-Site VPN

p.caforio — Mon, 11 Mar 2019 02:09:03 GMT

Hello everybody,

I have a Sito-to-Site VPN between two ASA 5540 outside interfaces.

I'm trying to configure ssh radius authentication on one of them but the Radius server is located behind the other ASA.

When I try to connect to this ASA outside interface using my radius credentials, the communication to the radius server goes in timeout.

It seems that the ASA doesn't use the crypto map to route the request to the Radius server.

Can anyone help me.

This is the radius config on the ASA:

aaa-server RADIUS protocol radius

accounting-mode simultaneous

max-failed-attempts 5

aaa-server RADIUS (outside) host radius01

key *****

aaa authentication ssh console RADIUS LOCAL

Thanks,

Paolo

Radius over Sito-to-Site VPN

Jennifer Halim — Thu, 31 May 2012 13:12:31 GMT

Since you would like your radius authentication to go over the VPN tunnel, then you would need to specify the inside interface, instead of outside interface. That would source the radius request from the inside interface which I believe the subnet should be part of the crypto ACL. Otherwise, if it's not part of the crypto ACL, you can add that subnet so it goes over the vpn tunnel.

aaa-server RADIUS (inside) host radius01

Radius over Sito-to-Site VPN

Badriddin Gulyaev — Tue, 11 Jun 2013 13:12:08 GMT

I have the same problem, and i tried to put inside interface instead outside but still asa wont to connect to RADIUS.

Radius over Sito-to-Site VPN

Jatin Katyal — Tue, 11 Jun 2013 14:17:17 GMT

Are you able to ping the radius server sourcing inside interface?

ping inside radius-ip-address

Please provide the debugs from the ASA

debug radius

debug aaa authen

run the test command:

test aaa authentication RADIUS host radius-server-ip

username:xxxxx

password:xxxxx

Are you seeing any hits on the radius side?

Jatin Katyal
- Do rate helpful posts -

Re: Radius over Sito-to-Site VPN

Badriddin Gulyaev — Thu, 13 Jun 2013 05:40:54 GMT

No i cannot ping from inside Interface Ip of my RADIUS

and this is the debug while testing

FMFB-KGT# radius mkreq: 0x17e

alloc_rip 0xd8d2bc08

new request 0x17e --> 20 (0xd8d2bc08)

got user 'badriddin.g'

got password

add_req 0xd8d2bc08 session 0x17e id 20

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 69).....

01 14 00 45 46 07 34 5d d2 a3 a0 59 1e ff cc 15 | ...EF.4]...Y....

2a 1b b8 91 01 0d 62 61 64 72 69 64 64 69 6e 2e | *.....badriddin.

67 02 12 a4 01 06 8e ab df 27 4a 51 9e dc 16 2d | g........'JQ...-

24 27 e3 04 06 c0 a8 06 65 05 06 00 00 00 0b 3d | $'......e......=

06 00 00 00 05 | .....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 20 (0x14)

Radius: Length = 69 (0x0045)

Radius: Vector: 4607345DD2A3A0591EFFCC152A1BB891

Radius: Type = 1 (0x01) User-Name

Radius: Length = 13 (0x0D)

Radius: Value (String) =

62 61 64 72 69 64 64 69 6e 2e 67 | badriddin.g

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

a4 01 06 8e ab df 27 4a 51 9e dc 16 2d 24 27 e3 | ......'JQ...-$'.

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.6.101 (0xC0A80665)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt pdcsrv/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd8d2bc08 session 0x17e id 20

free_rip 0xd8d2bc08

radius: send queue empty

How to make it accessible to ping the remote side through crypto tunel?

Radius over Sito-to-Site VPN

a.crusius — Mon, 29 Jul 2013 11:56:00 GMT

Try this:

management-access inside

This fixed the problem for me.

Re: Radius over Sito-to-Site VPN

mohdsuhailpgdi1 — Tue, 09 Jul 2019 09:42:25 GMT