Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
0
Helpful
4
Replies

ASA 5510, RADIUS Authentication routing problem

simonmoss
Level 1
Level 1

‎11-26-2007 04:27 AM - edited ‎03-10-2019 03:32 PM

Hi,

I have an ASA 5510 that I'm trying to configure RADIUS authentication for remote access users.

The RADIUS server is accessible over a lan2lan VPN on the outside interface. The IPSec tunnel protects data between the inside lan and the remote host RADIUS server and this has been tested OK from behind the ASA device so I'm happy the tunnel is working and the radius server is responding to Authentication requests.

The problem I have is when I test AAA authentication from the ASA device itself. In the AAA server config the RAIUS server is configured on the inside interface (192.168.32.57) but when I run the basic test, either from command line or from within ASDM I always get the same error in the logs.

"No route to RSAServer(10.97.24.24) from 192.168.32.57"

I have attached a cut down config that I have been testing with to demonstrate the problem. I sense this must be a really basic problem but I've tried many things including putting a static route for the RSAServer to no effect.

Any help would be greatly appreciated. Many thanks for your time.

Simon

Labels:
Preview file
4 KB
0 Helpful
4 Replies 4

simonmoss
Level 1
Level 1

‎11-27-2007 04:24 AM

I have found a fix for the above. All that is required is the following command:

management-access inside

which seems to allow VPN traffic to hit the designated interface

0 Helpful

Linxin qian
Level 1
Level 1
In response to simonmoss

‎11-27-2007 01:38 PM

I have similar issue.

Even management-access inside is configured, but if I assign authentication server outside, it still uses outside ip address for authentication. I wonder whether there is a command like Cisco router,"ip tacacs source-interface inside".

Please clarify. Thanks

0 Helpful

simonmoss
Level 1
Level 1
In response to Linxin qian

‎11-28-2007 02:46 AM

when configuring the aaa-server try the following:

aaa-server (inside) host

which allows you to specifiy the source interface.

0 Helpful

Linxin qian
Level 1
Level 1
In response to simonmoss

‎11-28-2007 07:36 AM

Thanks for update!

As long as it is configure for inside, ASA will use inside ip for authentication request, it will send authentication request to inside subnet. Now we went back to original post: route fail, since the authentication server, whatever it is Tacacs or radius, actually is outside. Then the packet is dropped.

That is what I got so far.

0 Helpful
Customers Also Viewed These Support Documents