Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
0
Replies

Integrating ASA firewall with SecurEnvoy Radius server for authentication

vipulagrawal
Level 1
Level 1

‎01-08-2013 01:51 AM - edited ‎03-10-2019 07:57 PM

Hi guys,

Need a serious help.

In one of the customer solution I am trying to integrate SecurEnvoy Radius server with ASA firewall, but not able to.

SecurEnvoy server is listening on Port 1812 and working fine for other Radius clients except this ASA firewall.

Below is Radius specific config on ASA firewall :

aaa-server SecureEnvoy-AAA protocol radius

reactivation-mode depletion deadtime 1

max-failed-attempts 4

aaa-server SecureEnvoy-AAA (nac-untrusted) host 172.20.236.1

key *****

authentication-port 1812

no mschapv2-capable

There is a Nokia firewall coming in between, where Radius port is open for this traffic and below are tcpdump output on this :

13:31:09.288790  vlan 2200, p 0, IP 172.20.230.1.blackjack > 172.20.236.1.radius: RADIUS,  Access Request (1), id: 0x2c length: 180

13:31:09.288822   I vlan 2201, p 0, IP 172.20.230.1.blackjack > 172.20.236.1.radius: RADIUS,  Access Request (1), id: 0x2c length: 180

13:31:09.289241   I vlan 2300, p 0, IP 172.20.236.1 > 172.20.230.1: ICMP 172.20.236.1 udp port  radius unreachable, length 216

13:31:09.289297   O vlan 2200, p 0, IP 172.20.236.1 > 172.20.230.1: ICMP 172.20.236.1 udp port  radius unreachable, length 216

Below are "debug radius" output on my SSL ASA firewall :

vrd-swi-ssl-asa-01# radius mkreq: 0x8000004d

alloc_rip 0x73aa3cd0

    new request 0x8000004d --> 27 (0x73aa3cd0)

got user 'sstest'

got password

add_req 0x73aa3cd0 session 0x8000004d id 27

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 64).....

01 1b 00 40 43 c0 f9 3e 9f ec b5 4a bb d8 31 16    |  ...@C..>...J..1.

97 84 6d a2 01 08 73 73 74 65 73 74 02 12 33 a2    |  ..m...sstest..3.

ac a5 9c 49 3a 33 bc 0b 91 1b 6e 13 1c 18 04 06    |  ...I:3....n.....

ac 14 e6 01 05 06 00 00 00 34 3d 06 00 00 00 05    |  .........4=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 27 (0x1B)

Radius: Length = 64 (0x0040)

Radius: Vector: 43C0F93E9FECB54ABBD8311697846DA2

Radius: Type = 1 (0x01) User-Name

Radius: Length = 8 (0x08)

Radius: Value (String) =

73 73 74 65 73 74                                  |  sstest

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

33 a2 ac a5 9c 49 3a 33 bc 0b 91 1b 6e 13 1c 18    |  3....I:3....n...

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 172.20.230.1 (0xAC14E601)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x34

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 172.20.236.1/1812

fail request 0x8000004d (172.20.236.1 failed)

RADIUS_DELETE

remove_req 0x73aa3cd0 session 0x8000004d id 27

free_rip 0x73aa3cd0

radius: send queue empty

I am attaching SecurEnvoy side Radius configuration screenshot for ref.
Any Clue guys ??
Regards,
Vipul
Labels:
Preview file
136 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents