topic Re: Radius authentication timeout in Network Security

Radius authentication timeout

jensscheuvens — Fri, 23 Feb 2024 08:33:26 GMT

Dear Community,

We are trying to get Radius authentication to work for one of our ASA´s.
It is working for every ASA except ASA1.

following structure is given:

ASA1:
GigabitEthernet0/1
nameif transfer-ASA1-ASA2
security-level 10
ip address 194.1.1.1 255.255.255.240

GigabitEthernet0/3
nameif TS
security level 90
ip address 192.168.4.1 255.255.255.0

<Transfer Network between ASA1 and ASA2>

ASA2:
GigabitEthernet0/2
nameif transfer-ASA1-ASA2
security-level 0
ip address 194.1.1.5 255.255.255.240

<VPN ASA2 to ASA3>

ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240

<Transfer Network between ASA3 and ASA4>

ASA4:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240

GigabitEthernet0/1.1
vlan 10
nameif service-hosts
security level 66
ip address 10.10.10.1 255.255.255.0

We are trying to authenticate ASA1 to Radius Server 10.10.10.50 located behind Interface "service-hosts" on ASA4.

if doing the following:

- Access ASA1 via ASDM from Host behind Interface "TS" (192.168.4.5) I am able to login with local account
- issue "test aaa-server authentication RADIUS host 10.10.10.50 username xxxx password xxxx"

We can observe on the Radius host itself that everything is fine, request received and successfully authenticated:

Thu Feb 22 14:40:20 2024 : Auth: (1488) Login OK: [xxxx] (from client xxxx port 77)

whilst on ASA1 we are prompted with:

"INFO: Attempting Authentication test to IP address (10.10.10.50) (timeout: 12 seconds)
ERROR: Authentication Server not responding: No response from server"

The logging shows connection immediatly beeing torn down:

Teardown UDP connection 3616867950 for TS:10.10.10.50/1812 to identity:192.168.4.1/61407 duration 0:00:00 bytes 171
Built outbound UDP connection 3616867950 for TS:10.10.10.50/1812 (10.10.10.50/1812) to identity:192.168.4.1/61407 (192.168.4.1/61407)

Note:
On ASA1 Interface "TS" is configured as Management Access Interface (Device Management => Management Access => Management Interface)
Radius Server Host 10.10.10.50 is located behind interface "service-hosts" on ASA4.

Radius config on ASA1:

aaa-server MGMT protocol radius
aaa-server MGMT (TS) host 10.10.10.50
key *****
authentication-port 1812
accounting-port 1813

Does somebody have any advice here why this is not working?
For the other ASAs it is working.

Best regards

Re: Radius authentication timeout

Aref Alsouqi — Fri, 23 Feb 2024 10:19:49 GMT

I am assuming that you added ASA1 as a client on the RADIUS server with its IP 192.168.4.1. Could you please run some packet capture on ASA4's interface Gi0/1.1 filtering the capture with ASA1 and the RADIUS server IPs and share the output for review?

cap RADIUS-TRAFFIC inter service-hosts match udp host 192.168.4.1 host 10.10.10.50 eq 1812
cap RADIUS-TRAFFIC inter service-hosts match udp host 10.10.10.50 eq 1812 host 192.168.4.1

Re: Radius authentication timeout

jensscheuvens — Mon, 26 Feb 2024 09:23:59 GMT

Hello,

Yes it is added with IP 192.168.4.1 as a Client. If this would not be correct then I think I will not get "login OK" on Radius.
If typing in a wrong password the Radius is saying "incorrect password".

Below you can find the capture:
3 19.909666 192.168.4.1 10.10.10.50 RADIUS 133 Access-Request id=68
4 19.893676 10.10.10.50 192.168.4.1 RADIUS 130 Access-Accept id=68

Re: Radius authentication timeout

Ruben Cocheno — Wed, 28 Feb 2024 00:02:09 GMT

@jensscheuvens

Found problems always sourcing traffic for Radius from the LAN traversing the same device, may i suggest you try using ASA1: GigabitEthernet0/1 instead

Re: Radius authentication timeout

jensscheuvens — Wed, 28 Feb 2024 07:51:09 GMT

@Ruben Cocheno

thanks for your answer.

So you mean traffic should exit and come back via external ASA1: GigabitEthernet0/1 or new Radius host should be placed behind Interface at ASA1?