Hi guys,
Need a serious help.
In one of the customer solution I am trying to integrate SecurEnvoy Radius server with ASA firewall, but not able to.
SecurEnvoy server is listening on Port 1812 and working fine for other Radius clients except this ASA firewall.
Below is Radius specific config on ASA firewall :
aaa-server SecureEnvoy-AAA protocol radius
reactivation-mode depletion deadtime 1
max-failed-attempts 4
aaa-server SecureEnvoy-AAA (nac-untrusted) host 172.20.236.1
key *****
authentication-port 1812
no mschapv2-capable
There is a Nokia firewall coming in between, where Radius port is open for this traffic and below are tcpdump output on this :
13:31:09.288790 vlan 2200, p 0, IP 172.20.230.1.blackjack > 172.20.236.1.radius: RADIUS, Access Request (1), id: 0x2c length: 180
13:31:09.288822 I vlan 2201, p 0, IP 172.20.230.1.blackjack > 172.20.236.1.radius: RADIUS, Access Request (1), id: 0x2c length: 180
13:31:09.289241 I vlan 2300, p 0, IP 172.20.236.1 > 172.20.230.1: ICMP 172.20.236.1 udp port radius unreachable, length 216
13:31:09.289297 O vlan 2200, p 0, IP 172.20.236.1 > 172.20.230.1: ICMP 172.20.236.1 udp port radius unreachable, length 216
Below are "debug radius" output on my SSL ASA firewall :
vrd-swi-ssl-asa-01# radius mkreq: 0x8000004d
alloc_rip 0x73aa3cd0
new request 0x8000004d --> 27 (0x73aa3cd0)
got user 'sstest'
got password
add_req 0x73aa3cd0 session 0x8000004d id 27
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 64).....
01 1b 00 40 43 c0 f9 3e 9f ec b5 4a bb d8 31 16 | ...@C..>...J..1.
97 84 6d a2 01 08 73 73 74 65 73 74 02 12 33 a2 | ..m...sstest..3.
ac a5 9c 49 3a 33 bc 0b 91 1b 6e 13 1c 18 04 06 | ...I:3....n.....
ac 14 e6 01 05 06 00 00 00 34 3d 06 00 00 00 05 | .........4=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 27 (0x1B)
Radius: Length = 64 (0x0040)
Radius: Vector: 43C0F93E9FECB54ABBD8311697846DA2
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
73 73 74 65 73 74 | sstest
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
33 a2 ac a5 9c 49 3a 33 bc 0b 91 1b 6e 13 1c 18 | 3....I:3....n...
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.20.230.1 (0xAC14E601)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.20.236.1/1812
fail request 0x8000004d (172.20.236.1 failed)
RADIUS_DELETE
remove_req 0x73aa3cd0 session 0x8000004d id 27
free_rip 0x73aa3cd0
radius: send queue empty
I am attaching SecurEnvoy side Radius configuration screenshot for ref.
Any Clue guys ??
Regards,
Vipul