Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3287
Views
0
Helpful
6
Replies

ASA 5506 cannot connect to RADIUS server on inside subnet

Go to solution
jpodo
Level 1
Level 1

‎10-25-2019 11:06 PM - edited ‎10-25-2019 11:07 PM

I am trying to authenticate SSH connections via RADIUS, but I cannot get my ASA to connect to the RADIUS server (AD DC w/ NPS) despite the fact that the server is local to the inside interface.  The ASA IP is 10.10.10.1 and the RADIUS server IP is 10.10.10.100.  Using packet-trace (at bottom), I see that it is implicitly denying this connection, and I can't figure out why for the life of me, but I can ping it successfully.  Please help!

asa01# sh run
: Saved
: Serial Number: ***
: Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
!
hostname asa01
domain-name xeroday.net
enable password ***
fips enable
names

!
interface GigabitEthernet1/1
 description To Internet
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 description To LAN
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/4
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/5
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/6
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/7
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/8
 no nameif
 security-level 50
 no ip address
!
interface GigabitEthernet1/9
 description To WLAN Module
 nameif wifi
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network EXCH_HTTP
 host 10.10.10.25
object network EXCH_HTTPS
 host 10.10.10.25
object network EXCH_SMTP
 host 10.10.10.25
object network EXCH_IMAP
 host 10.10.10.25
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network RAD_AUTH
 host 10.10.10.100
object network RAD_ACCT
 host 10.10.10.100
object-group protocol INLINE
 protocol-object ip
access-list outside_access_in extended permit tcp any object EXCH_HTTP eq www
access-list outside_access_in extended permit tcp any object EXCH_HTTPS eq https
access-list outside_access_in extended permit tcp any object EXCH_SMTP eq smtp
access-list outside_access_in extended permit tcp any object EXCH_IMAP eq imap4
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu wifi 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network EXCH_HTTP
 nat (inside,outside) static interface service tcp www www
object network EXCH_HTTPS
 nat (inside,outside) static interface service tcp https https
object network EXCH_SMTP
 nat (inside,outside) static interface service tcp smtp smtp
object network EXCH_IMAP
 nat (inside,outside) static interface service tcp imap4 imap4
object network obj_any
 nat (inside,outside) dynamic interface

/// I've tried with and without this and still no success
object network RAD_AUTH
 nat (inside,inside) static interface service udp 1812 1812
object network RAD_ACCT
 nat (inside,inside) static interface service udp 1813 1813
///

access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RAD_SERVERS protocol radius
aaa-server RAD_SERVERS (inside) host 10.10.10.100
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console RAD_SERVERS LOCAL
aaa authentication ssh console RAD_SERVERS LOCAL
aaa authentication http console RAD_SERVERS LOCAL
aaa accounting enable console RAD_SERVERS
aaa accounting ssh console RAD_SERVERS
aaa authorization http console RAD_SERVERS
aaa authentication login-history
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcprelay server 10.10.10.100 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version tlsv1.1
ssl client-version tlsv1.1
ssl cipher default high
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
dynamic-access-policy-record DfltAccessPolicy
username *** password $***$***$***==$***== *** privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command eigrp
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
asa01#
asa01# packet-trace input inside udp 10.10.10.1 1812 10.10.10.100 1812 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.100 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaac2bf8ea0, priority=501, domain=permit, deny=true
        hits=4, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

asa01# ping 10.10.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa01#

 

Labels:
Preview file
75 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jpodo
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2019 02:03 PM - edited ‎10-28-2019 02:11 PM

The RADIUS server/DC is a Windows Server 2019 VM, and apparently this is a known bug with Server 2019 that blocks the traffic despite local firewall rules allowing it.  F****** Microsoft.

 

I had to add a duplicate rule just for RADIUS traffic and not associate it with the NPS group.  I guess I just misunderstood packet-tracer!  Thanks for new information though!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎10-26-2019 12:35 PM

Packet tracer is used to simulate traffic passing through the ASA, not traffic going to the ASA.  That is why it is failing.  Your configuration looks fine, have you checked the logs on the RADIUS server?

Have you added the ASA as a network device in the AD NPS configuration? https://theitbros.com/radius-server-configuration-on-windows/

If the above is done, I would start by doing a packet capture (using the packet capture wizard in ASDM) and checking this in Wireshark to see if you are actually getting return traffic from the RADIUS server.  You might also want to do a SPAN of the server port at the same time so you can correlate the capture from the ASA and the RADIUS.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
jpodo
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2019 08:03 PM - edited ‎10-27-2019 08:28 PM

It isn't simulating traffic going to the ASA.  It's simulating traffic originating from the ASA.  If I change the source IP to a host on my inside network and run packet-trace, it is allowed.  The problem is that the actual RADIUS client is the ASA itself which is getting blocked by an implicit deny.  The RADIUS server logs show no connection requests.

 

As for my AD NPS configuration, I have the ASA enabled as a RADIUS client...
Friendly name: asa01
Address: 10.10.10.1
Shared secret: [matches]
Vendor name: Cisco

I have a Connection Request Policy with the following properties:
Client Friendly Name: asa01
Authentication: Authenticate requests on this server
Realm Name Attribute: User-Name

I have a Network Policy with the following properties:
Access Permission: Grant access
Conditions: User Groups: Cisco Admins
Constraints:
Authentication Methods: Unencrypted authentication (PAP, SPAP)
RADIUS Attributes:
Standard: Service-Type: Login
Vendor Specific: Cisco-AV-Pair: shell:priv-lvl=15
Encryption: All selected (Basic, Strong, Strongest, None)

Still broken...I have the following test aaa-server result:

asa01# test aaa-server auth RAD_SERVERS host 10.10.10.100 username *** password ***
INFO: Attempting Authentication test to IP address (10.10.10.100) (timeout: 12 seconds)
ERROR: Authentication Server not responding: No response from server
asa01#

0 Helpful

Go to solution
jpodo
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2019 08:19 PM

Here's a debug and RADIUS test.

 

asa01# debug radius
asa01# test aaa-server auth RAD_SERVERS host 10.10.10.100 username *** password ***
INFO: Attempting Authentication test to IP address (10.10.10.100) (timeout: 12 seconds)
radius mkreq: 0x80000004
alloc_rip 0x00002aaac2c8d038
    new request 0x80000004 --> 114 (0x00002aaac2c8d038)
got user '***'
add_req 0x00002aaac2c8d038 session 0x80000004 id 114
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 84).....
01 72 00 54 c4 96 82 83 5f 03 a9 7d 1e 36 4d 32    |  .r.T...._..}.6M2
d1 df 2d ab 01 07 00 00 00 00 00 02 12 13 e6 5b    |  ..-...*****....[
26 06 d5 7d 04 af 25 55 52 70 03 99 33 04 06 0a    |  &..}..%URp..3...
0a 0a 01 05 06 00 00 00 19 3d 06 00 00 00 05 1a    |  .........=......
15 00 00 00 09 01 0f 63 6f 61 2d 70 75 73 68 3d    |  .......coa-push=
74 72 75 65                                        |  true

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 114 (0x72)
Radius: Length = 84 (0x0054)
Radius: Vector: C49682835F03A97D1E364D32D1DF2DAB
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
00 00 00                                     |  ***
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
13 e6 5b 26 06 d5 7d 04 af 25 55 52 70 03 99 33    |  ..[&..}..%URp..3
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.10.10.1 (0x0A0A0A01)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x19
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65             |  coa-push=true
send pkt 10.10.10.100/1812
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0x00002aaac2c8d038 session 0x80000004 id 114
free_rip 0x00002aaac2c8d038
radius: send queue empty
ERROR: Authentication Server not responding: No response from server
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jpodo

‎10-27-2019 10:34 PM - edited ‎10-27-2019 10:37 PM

In addition to the RADIUS server logs,  I would recommend an actual packet capture on the RADIUS server.

Your ASA configuration looks mostly correct. The nat (inside,inside) lines aren't necessary.

Whether the traffic is to or from the ASA, you cannot use packet-tracer for either type. You can only use it to test synthetic packets THROUGH the ASA. That is, something arriving on a given interface and then egressing the ASA. The source IP in packet-tracer can never be any interface address of the ASA itself.

0 Helpful

Go to solution
jpodo
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2019 02:03 PM - edited ‎10-28-2019 02:11 PM

The RADIUS server/DC is a Windows Server 2019 VM, and apparently this is a known bug with Server 2019 that blocks the traffic despite local firewall rules allowing it.  F****** Microsoft.

 

I had to add a duplicate rule just for RADIUS traffic and not associate it with the NPS group.  I guess I just misunderstood packet-tracer!  Thanks for new information though!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jpodo

‎10-28-2019 10:23 PM

You're welcome. Thanks for sharing your solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card