Re: i recieved port 1645 & 1646 without configured them ????????

tareqrebhi · ‎07-03-2008

Dears i had configured my AS5400:

aaa authentication login default local group radius

aaa authentication login h323 group radius

aaa authentication ppp h323 group radius

aaa authorization exec h323 group radius

aaa authorization network h323 group radius

aaa accounting network h323 start-stop group radius

aaa accounting connection h323 start-stop group radius

radius-server attribute 6 on-for-login-auth

radius-server host 55.55.55.15 auth-port 1812 acct-port 1813

radius-server timeout 50

radius-server deadtime 1

radius-server key xxx

radius-server vsa send accounting

radius-server vsa send authentication

but i have recieved port 1645 as follow:

*Jan 9 21:50:07.194: RADIUS(000C39C6): Send Accounting-Request to 55.55.55.21:1813 id 1646/187, len 1020

*Jan 9 21:50:07.222: RADIUS: Received from id 1646/187 55.55.55.21:1813, Accounting-response, len 20

*Jan 9 21:50:09.694: RADIUS/ENCODE: Best Local IP-Address 55.55.55.49 for Radius-Server 55.55.55.21

*Jan 9 21:50:09.694: RADIUS(000C36E8): Send Accounting-Request to 55.55.55.21:1813 id 1646/192, len 1123

*Jan 9 21:50:18.774: RADIUS(000C3A7E): Send Accounting-Request to 55.55.55.21:1813 id 1646/209, len 705

why port 1646 appeared here i don't configured 1646 at my configuration.

Does this from Raduis server ... what i mean this port (1646) is configured at Raduis server

thank you ...

michael.leblanc · ‎07-04-2008

It would have been helpful if you had identified the device with address 55.55.55.21, as this is not the address of the RADIUS server shown in your configuration snip.

It appears that your ASA is using a "UDP source port of 1646" when it sends packets to what I assume is another RADIUS server (55.55.55.21).

UDP port 1646 was used for accounting prior to the assignment of 1813. Some of our Catalyst switches use UDP source port 1646 also.

tareqrebhi · ‎07-06-2008

ok is this normal or it is error in the configuration of AS5400 device?

but my raduis server is configured with port 1813 not 1646.

what your suggestion for my AS5400 configuration to send AAA packet with only port 1813?

BR,

michael.leblanc · ‎07-06-2008

If the device with address 55.55.55.21 is a RADIUS server (still unconfirmed), and if my interpretation of the log messages is correct (i.e.: ASA using UDP source port 1646, and destination port 1813), there is no issue to be concerned with.

As you've stated, your RADIUS server is configured to "listen" on port 1813. Your ASA is sending packets to port 1813 on the RADIUS server, not port 1646.

Each device has an open port. The ASA has port 1646 open, and the RADIUS server has port 1813 open.

Packets sent from the ASA to the RADIUS server have a source port of 1646 and a destination port of 1813.

Packets sent from the RADIUS server to the ASA have a source port of 1813 and a destination port of 1646, because the ASA is listening on port 1646.

It isn't very relevant which port the ASA listens on for the AAA Accounting exchanges.

If you use a sniffer to capture an exchange you will determine very quickly whether the log entries have been interpreted correctly.

I don't believe packets are being sent to both ports on the RADIUS server, and I don't believe you have an ASA configuration error.

tareqrebhi · ‎07-07-2008

yes exactly 55.55.55.21 is raduis server and 55.55.55.49 it is my AS5400.

i have FW is located between them and i used these ACL lists:

access-list 100 extended permit tcp any host 55.55.55.21 eq 1812

access-list 100 extended permit tcp any host 55.55.55.21 eq 1813

access-list 100 extended permit tcp any host 55.55.55.21 eq 1645

access-list 100 extended permit tcp any host 55.55.55.21 eq 1646

is there other command should to be used?

Thank you.

michael.leblanc · ‎07-07-2008

If you examine your ACL Access Control Entries do you see "matches" on the first two:

access-list 100 extended permit tcp any host 55.55.55.21 eq 1812

access-list 100 extended permit tcp any host 55.55.55.21 eq 1813

... and NOT on the second two:

access-list 100 extended permit tcp any host 55.55.55.21 eq 1645

access-list 100 extended permit tcp any host 55.55.55.21 eq 1646

... if so, the AS5400 is not sending packets to "destination" ports 1645 or 1646 on the RADIUS server.

tareqrebhi · ‎07-08-2008

Dear this output:

TARASA-02# sh access-list | include 1646

access-list 100 line 88 extended permit tcp any host 55.55.55.21 eq 1646 (hitcnt=0) 0xb9e532a6

access-list 101 line 44 extended permit tcp host 55.55.55.21 any eq 1646 (hitcnt=0) 0x4599a6ce

TARASA-02# sh access-list | include 1813

access-list 100 line 80 extended permit udp any host 55.55.55.21 eq 1813 (hitcnt=0) 0x68f2332e

access-list 100 line 86 extended permit tcp any host 55.55.55.21 eq 1813 (hitcnt=0) 0xdfdcbee0

access-list 101 line 34 extended permit udp host 55.55.55.21 any eq 1813 (hitcnt=0) 0xc4ebdbc9

access-list 101 line 42 extended permit tcp host 55.55.55.21 any eq 1813 (hitcnt=0) 0x23741a92

TARASA-02# sh access-list | include 1812

access-list 100 line 79 extended permit udp any host 55.55.55.21 eq 1812 (hitcnt=0) 0x434c493f

access-list 100 line 85 extended permit tcp any host 55.55.55.21 eq 1812 (hitcnt=0) 0x1eaca25d

access-list 101 line 33 extended permit udp host 55.55.55.21 any eq 1812 (hitcnt=0) 0x1b49f068

access-list 101 line 41 extended permit tcp host 55.55.55.21 any eq 1812 (hitcnt=0) 0x20268376

TARASA-02# sh access-list | include 1645

access-list 100 line 87 extended permit tcp any host 55.55.55.21 eq 1645 (hitcnt=0) 0xa53ef213

access-list 101 line 43 extended permit tcp host 55.55.55.21 any eq 1645 (hitcnt=0) 0xb52e86b8

do these mean there is error in configuration or raduis packet from AS5400?

BR,

michael.leblanc · ‎07-08-2008

RADIUS uses UDP, and not TCP.

You have erroneously specified TCP in many of your Access Control Entries, and you have specified destination ports 1645 and 1646 on the RADIUS server which I do not believe is necessary.

Assuming you have performed some action that would have resulted in an AAA operation since the counters were last reset, I would expect the hit counts for the following two ACEs to be non-zero:

access-list 100 line 79 extended permit udp any host 55.55.55.21 eq 1812 (hitcnt=0) 0x434c493f

access-list 100 line 80 extended permit udp any host 55.55.55.21 eq 1813 (hitcnt=0) 0x68f2332e

... the fact that they are zero "may" suggest that the ACEs are applied on the wrong interface, or in the wrong direction, or a more permisive ACE is being matched.

The following two ACEs can be deleted because they specify TCP, and UDP versions of these are in effect above:

access-list 100 line 85 extended permit tcp any host 55.55.55.21 eq 1812 (hitcnt=0) 0x1eaca25d

access-list 100 line 86 extended permit tcp any host 55.55.55.21 eq 1813 (hitcnt=0) 0xdfdcbee0

The following two ACEs can be deleted because they specify TCP, and I don't beleive you need to create UDP versions of them because I don't beleive your ASA is sending packets to these ports on the RADIUS server:

access-list 100 line 87 extended permit tcp any host 55.55.55.21 eq 1645 (hitcnt=0) 0xa53ef213

access-list 100 line 88 extended permit tcp any host 55.55.55.21 eq 1646 (hitcnt=0) 0xb9e532a6

You "may" need to retain the following two ACEs "if" you have other AAA Clients using local UDP ports 1812 and 1813 (I think your ASA is listening on 1645 and 1646):

access-list 101 line 33 extended permit udp host 55.55.55.21 any eq 1812 (hitcnt=0) 0x1b49f068

access-list 101 line 34 extended permit udp host 55.55.55.21 any eq 1813 (hitcnt=0) 0xc4ebdbc9

The following two ACEs can be deleted because they specify TCP, and UDP versions of these are in effect above:

access-list 101 line 41 extended permit tcp host 55.55.55.21 any eq 1812 (hitcnt=0) 0x20268376

access-list 101 line 42 extended permit tcp host 55.55.55.21 any eq 1813 (hitcnt=0) 0x23741a92

The following two ACEs need to be amended (UDP, not TCP), to support return traffic to the ASA which I believe is listening on UDP ports 1645 and 1646:

access-list 101 line 43 extended permit tcp host 55.55.55.21 any eq 1645 (hitcnt=0) 0xb52e86b8

access-list 101 line 44 extended permit tcp host 55.55.55.21 any eq 1646 (hitcnt=0) 0x4599a6ce

The messages in your original post suggest that accounting is working (you haven't suggested otherwise), despite the fact that none of the ACEs provided show any hits. I don't know if you have a more permisive ACE that is being matched or if you reset the counters prior to pasting the ACEs in your most recent post.

I still think you should use a sniffer to verify that the ASA is using ports 1645 and 1646 locally to communicate with ports 1812 and 1813 on the RADIUS server. Then review your ACLs to ensure that your ACEs are constructed accordingly, and that your ACLs are applied in the correct direction, on the correct interfaces. The hit counters are an easy means of verification.

i recieved port 1645 & 1646 without configured them ???????????????........