Re: AAA authentication over L2L

csondergaard · ‎01-03-2011

Hi,

I have an ASA5505 with a L2L tunnel set up for our main office. L2L is working - no problems there.

The problem is we have some Remote VPN Clients that connects to this ASA 5505.. And i need it to authenticate to our radius (Windows 2003) in main office.

I've set "Management interface inside" and i can manage the ASA5505 from my radius server (Both via SSH and ASDM).

I've also tried to forward port 1645,1646 from outside to my radius server in main office and set the ASA5505 to conect to its outside IP address - No luck there either.

Do I need to enable something specific to allow radius traffic to an external host?

Thanks in advance!

Best regards

Carsten

andamani · ‎01-03-2011

Hi,

I understand the radius server is behind the main office and you wish to authenticate the RA VPN users across the L2L tunnel.

topology is something like this:

RA VPN users -- ASA -- Main office device -- Radius server (win 2k3).

Please correct if above is wrong.

Please include the traffic from the pool to radius server and reverse as a part of interesting traffic(crypto acl) and nat exemption. That sholud resolve the problem.

Please let me know if this helps!

Regards,

Anisha

csondergaard · ‎01-03-2011

Hi,

Topology is correct :-)

If I authenticate a user with the LOCAL user database the user can access the ASA5505 network AND our main office. No problems there either.. Just the radius traffic i have problems with :-)

Best regards

Carsten

andamani · ‎01-03-2011

Hi,

Is the test aaa authentication host x.x.x.x username password working from the ASA??

If yes, then you need to define the traffic in crypto ACL i.e.the pool ip address to the radius server and reverse on the other end of the tunnel.

please ensure you have a nat exemption for the same.

Let me know how it goes.

Regards,

Anisha

csondergaard · ‎01-03-2011

When using this line:

test aaa authentication partnerauth host 172.20.12.9 usernamen Administrator password xxx

I get this:

INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error

From the host 172.20.12.9 (The radius server) i can ping the ASA's inside interface (172.16.7.1).

Best regards

Carsten

andamani · ‎01-03-2011

Please enable following debugs:

1. Debugs aaa authentication

2. debug radius all

3. term mon

Try the test command and please paste the debug output.

Regards,

Anisha

Ivan Martinon · ‎01-04-2011

Carsten,

How is your aaa server setup defined? is it showing something like aaa-server .... (inside) or outside? can you re enter the setup making sure the interface is defined as inside, management access allows the management traffic to go sourced from inside interface, however if your setup is not defined as inside it might not work.

csondergaard · ‎01-04-2011

Ivan,

I've tested aaa server with inside and outside interface. Management is set to inside interface. Same result - No responce.

Anisha,

I will test tomorrow and let you know.

I've just set up a new ASA5505 at home and tested radius up against our main office - No responce :-) aaa server is set to outside interface and im trying to connect to our main office WAN IP... 1645 and 1646 UDP ports are forwarded at main office... This should work to?

Thanks for your help so far :-)

Ivan Martinon · ‎01-04-2011

Your Radius server must have a client ip address definition, what is this ip address the public ip address of the remote ASA devices? As for your port forwarding well yeah you must allow 1645 for authentication and must have a static nat entry or static port forward entry along with the proper acls in place.

csondergaard · ‎01-07-2011

I have no idea why - But now its works...

Had just entered your debug commands and tested AAA authentiaction again... Then it just replied "Authentication succesfull"..

Maybe the Windows server was rebooted or something..

I ended up using "inside" interface and the L2L tunnel for authentication.

Anyway - Thanks alot for all your help :-)