https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604445#M346168 <HTML><HEAD></HEAD><BODY><P>Ivan,</P><P></P><P>I've tested aaa server with inside and outside interface. Management is set to inside interface. Same result - No responce.</P><P></P><P></P><P>Anisha,</P><P></P><P>I will test tomorrow and let you know.</P><P></P><P></P><P>I've just set up a new ASA5505 at home and tested radius up against our main office - No responce <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> aaa server is set to outside interface and im trying to connect to our main office WAN IP... 1645 and 1646 UDP ports are forwarded at main office... This should work to?</P><P></P><P></P><P>Thanks for your help so far <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Tue, 04 Jan 2011 22:28:06 GMT csondergaard 2011-01-04T22:28:06Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604438#M346050 <P>Hi,</P><P></P><P>I have an ASA5505 with a L2L tunnel set up for our main office. L2L is working - no problems there.</P><P></P><P>The problem is we have some Remote VPN Clients that connects to this ASA 5505.. And i need it to authenticate to our radius (Windows 2003) in main office.</P><P></P><P>I've set "Management interface inside" and i can manage the ASA5505 from my radius server (Both via SSH and ASDM).</P><P></P><P>I've also tried to forward port 1645,1646 from outside to my radius server in main office and set the ASA5505 to conect to its outside IP address - No luck there either.</P><P></P><P>Do I need to enable something specific to allow radius traffic to an external host?</P><P></P><P>Thanks in advance!</P><P></P><P>Best regards</P><P>Carsten</P> Mon, 11 Mar 2019 00:41:02 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604438#M346050 csondergaard 2019-03-11T00:41:02Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604439#M346073 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I understand the radius server is behind the main office and you wish to authenticate the RA VPN users across the L2L tunnel.</P><P></P><P>topology is something like this:</P><P></P><P>RA VPN users -- ASA -- Main office device -- Radius server (win 2k3).</P><P></P><P>Please correct if above is wrong.</P><P></P><P>Please include the traffic from the pool to radius server and reverse as a part of interesting traffic(crypto acl) and nat exemption. That sholud resolve the problem.</P><P></P><P>Please let me know if this helps! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" height="16" src="https://community.cisco.com/images/emoticons/happy.gif" width="16"></SPAN></P><P></P><P>Regards,</P><P>Anisha</P></BODY></HTML> Mon, 03 Jan 2011 12:52:35 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604439#M346073 andamani 2011-01-03T12:52:35Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604440#M346086 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Topology is correct <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>If I authenticate a user with the LOCAL user database the user can access the ASA5505 network AND our main office. No problems there either.. Just the radius traffic i have problems with <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Best regards</P><P>Carsten</P></BODY></HTML> Mon, 03 Jan 2011 13:12:43 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604440#M346086 csondergaard 2011-01-03T13:12:43Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604441#M346098 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Is the test aaa authentication <AAA-SERVER> host x.x.x.x username <USERNAME> password <PASSWORD> working from the ASA??</PASSWORD></USERNAME></AAA-SERVER></P><P></P><P>If yes, then you need to define the traffic in crypto ACL i.e.the pool ip address to the radius server and reverse on the other end of the tunnel.</P><P>please ensure you have a nat exemption for the same.</P><P></P><P>Let me know how it goes.</P><P></P><P>Regards,</P><P>Anisha</P></BODY></HTML> Mon, 03 Jan 2011 13:28:28 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604441#M346098 andamani 2011-01-03T13:28:28Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604442#M346122 <HTML><HEAD></HEAD><BODY><P>When using this line:</P><P>test aaa authentication partnerauth host 172.20.12.9 usernamen Administrator password xxx</P><P></P><P>I get this:</P><P>INFO: Attempting Authentication test to IP address <DOMINO> (timeout: 12 seconds)<BR />ERROR: Authentication Server not responding: No error</DOMINO></P><P></P><P>From the host 172.20.12.9 (The radius server) i can ping the ASA's inside interface (172.16.7.1).</P><P></P><P></P><P>Best regards</P><P>Carsten</P></BODY></HTML> Mon, 03 Jan 2011 14:56:39 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604442#M346122 csondergaard 2011-01-03T14:56:39Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604443#M346130 <HTML><HEAD></HEAD><BODY><P>Please enable following debugs:</P><P>1. Debugs aaa authentication</P><P>2. debug radius all</P><P>3. term mon</P><P></P><P>Try the test command and please paste the debug output.</P><P></P><P>Regards,</P><P>Anisha</P></BODY></HTML> Mon, 03 Jan 2011 15:36:54 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604443#M346130 andamani 2011-01-03T15:36:54Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604444#M346146 <HTML><HEAD></HEAD><BODY><P>Carsten,</P><P></P><P>How is your aaa server setup defined? is it showing something like aaa-server .... (inside) or outside? can you re enter the setup making sure the interface is defined as inside, management access allows the management traffic to go sourced from inside interface, however if your setup is not defined as inside it might not work.</P></BODY></HTML> Tue, 04 Jan 2011 19:16:46 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604444#M346146 Ivan Martinon 2011-01-04T19:16:46Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604445#M346168 <HTML><HEAD></HEAD><BODY><P>Ivan,</P><P></P><P>I've tested aaa server with inside and outside interface. Management is set to inside interface. Same result - No responce.</P><P></P><P></P><P>Anisha,</P><P></P><P>I will test tomorrow and let you know.</P><P></P><P></P><P>I've just set up a new ASA5505 at home and tested radius up against our main office - No responce <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> aaa server is set to outside interface and im trying to connect to our main office WAN IP... 1645 and 1646 UDP ports are forwarded at main office... This should work to?</P><P></P><P></P><P>Thanks for your help so far <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Tue, 04 Jan 2011 22:28:06 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604445#M346168 csondergaard 2011-01-04T22:28:06Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604446#M346196 <HTML><HEAD></HEAD><BODY><P>Your Radius server must have a client ip address definition, what is this ip address the public ip address of the remote ASA devices? As for your port forwarding well yeah you must allow 1645 for authentication and must have a static nat entry or static port forward entry along with the proper acls in place.</P></BODY></HTML> Tue, 04 Jan 2011 22:43:38 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604446#M346196 Ivan Martinon 2011-01-04T22:43:38Z https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604447#M346261 <HTML><HEAD></HEAD><BODY><P>I have no idea why - But now its works...</P><P></P><P>Had just entered your debug commands and tested AAA authentiaction again... Then it just replied "Authentication succesfull"..</P><P></P><P>Maybe the Windows server was rebooted or something..</P><P></P><P>I ended up using "inside" interface and the L2L tunnel for authentication.</P><P></P><P>Anyway - Thanks alot for all your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 07 Jan 2011 10:09:56 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-over-l2l/m-p/1604447#M346261 csondergaard 2011-01-07T10:09:56Z