topic Re: I cannot capture Radius traffic! in Network Security

I cannot capture Radius traffic!

sawesa — Fri, 06 Mar 2020 12:03:01 GMT

Hello,

I hope someone can help me with this capture.

I have an ASA configured to authenticate towards an AAA server, with the following config:

aaa-server RAS-Server protocol radius
aaa-server RAS-Server (if-inside) host 10.10.6.5
key *****
authentication-port 1812

And Im running a capture as

capture capradius interface if-inside match UDP host 10.50.3.1 host 10.10.6.5 eq 1812

Then I access with my AAA user to the ASA but nothing is captured!

What am I missing here?

I can see the traces in the syslog thought, coming from the 10.50.3.1 to the auth server in10.10.6.5

Thanks in advance!

Re: I cannot capture Radius traffic!

kapydan88 — Fri, 06 Mar 2020 14:13:05 GMT

if i understand you correctly, you want tocapture traffic from cisco asa?

if yes, try to capture another type of traffic.

Re: I cannot capture Radius traffic!

Cristian Matei — Fri, 06 Mar 2020 14:57:39 GMT

Hi,

Can you try the following captures:

capture first interface if-inside match ip host 10.50.3.1 host 10.10.6.5

capture second interface if-inside match ip any host 10.10.6.5

Regards,

Cristian Matei.

Re: I cannot capture Radius traffic!

Sheraz.Salim — Fri, 06 Mar 2020 15:45:42 GMT

access-list capi extended permit ip host 10.50.3.1 host 10.10.6.5
access-list capi extended permit ip host 10.10.6.5 host 10.50.3.1
!
capture capture interface if-inside access-list capi
!
copy /pcap capture: flash:capi

Re: I cannot capture Radius traffic!

sawesa — Mon, 09 Mar 2020 13:10:41 GMT

Thanks for your suggestions, but none of them worked.

I spent one hour in webex session with Cisco tech engineer, but no luck.

show capture
capture capin type raw-data interface if-inside [Capturing - 0 bytes]
  match udp any host 10.10.6.5
capture cap2 type raw-data interface if-inside [Capturing - 0 bytes]
  match ip host 10.50.3.1 any
capture capout type raw-data interface outside [Capturing - 0 bytes]
  match ip host 10.10.6.5 any
capture rascapture type raw-data access-list capi interface if-inside [Capturing     - 0 bytes]

This is all what I got running in the server, and Im logging in and out constantly.

I can see in the logging how the connections are being sent to the auth server:

6|Mar 09 2020 14:05:26|302015: Built outbound UDP connection 1051051 for outside:10.10.6.5/1812 (10.10.6.5/1812) to identity:10.50.3.1/49766 (10.50.3.1/49766)
6|Mar 09 2020 14:05:26|113004: AAA user authentication Successful : server =  10.10.6.5 : user = ***
6|Mar 09 2020 14:05:26|113008: AAA transaction status ACCEPT : user = ***
6|Mar 09 2020 14:05:26|611101: User authentication succeeded: IP address: **.**.**.**, Uname: ***
6|Mar 09 2020 14:05:26|611101: User authentication succeeded: IP address: **.**.**.**, Uname: ***
6|Mar 09 2020 14:05:26|605005: Login permitted from **.**.**.**/15180 to outside:**.**.**.**/ssh for user "***"

Does anyone understand why the Radius traffic is not being caught?

Im not sure this matters, but the connection to the AAA server is done through VPN

Re: I cannot capture Radius traffic!

sawesa — Fri, 13 Mar 2020 15:20:04 GMT

OK, so after a lot of struggle now Im told by Cisco engineer that tunneled traffic cannot be captured.

This is probably very basic but I'm surprised that it took this long to be spotted

Thank you all for your kind help

Re: I cannot capture Radius traffic!

Cristian Matei — Fri, 13 Mar 2020 15:53:51 GMT

Hi,

Traffic source/destined to the ASA (like RADIUS), when sent through a tunnel, it cannot be captured, because packet-capture is the first things it happens when a packet is received (as you want to capture the packet before ASA does any changes), and the last thing it happens when a packet is sent (as you want to capture the packet after the ASA has done all changes). So for your case, both ingress/egress packets were encrypted, thus the configured ACL for capture did not match.

Regards,

Cristian Matei.