10-25-2019 11:06 PM - edited 10-25-2019 11:07 PM
I am trying to authenticate SSH connections via RADIUS, but I cannot get my ASA to connect to the RADIUS server (AD DC w/ NPS) despite the fact that the server is local to the inside interface. The ASA IP is 10.10.10.1 and the RADIUS server IP is 10.10.10.100. Using packet-trace (at bottom), I see that it is implicitly denying this connection, and I can't figure out why for the life of me, but I can ping it successfully. Please help!
asa01# sh run : Saved : Serial Number: *** : Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.9(2) ! hostname asa01 domain-name xeroday.net enable password *** fips enable names ! interface GigabitEthernet1/1 description To Internet nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 description To LAN nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet1/3 no nameif security-level 100 no ip address ! interface GigabitEthernet1/4 no nameif security-level 100 no ip address ! interface GigabitEthernet1/5 no nameif security-level 100 no ip address ! interface GigabitEthernet1/6 no nameif security-level 100 no ip address ! interface GigabitEthernet1/7 no nameif security-level 100 no ip address ! interface GigabitEthernet1/8 no nameif security-level 50 no ip address ! interface GigabitEthernet1/9 description To WLAN Module nameif wifi security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name *** same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network EXCH_HTTP host 10.10.10.25 object network EXCH_HTTPS host 10.10.10.25 object network EXCH_SMTP host 10.10.10.25 object network EXCH_IMAP host 10.10.10.25 object network obj_any subnet 0.0.0.0 0.0.0.0 object network RAD_AUTH host 10.10.10.100 object network RAD_ACCT host 10.10.10.100 object-group protocol INLINE protocol-object ip access-list outside_access_in extended permit tcp any object EXCH_HTTP eq www access-list outside_access_in extended permit tcp any object EXCH_HTTPS eq https access-list outside_access_in extended permit tcp any object EXCH_SMTP eq smtp access-list outside_access_in extended permit tcp any object EXCH_IMAP eq imap4 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu wifi 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network EXCH_HTTP nat (inside,outside) static interface service tcp www www object network EXCH_HTTPS nat (inside,outside) static interface service tcp https https object network EXCH_SMTP nat (inside,outside) static interface service tcp smtp smtp object network EXCH_IMAP nat (inside,outside) static interface service tcp imap4 imap4 object network obj_any nat (inside,outside) dynamic interface /// I've tried with and without this and still no success object network RAD_AUTH nat (inside,inside) static interface service udp 1812 1812 object network RAD_ACCT nat (inside,inside) static interface service udp 1813 1813 /// access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 aaa-server RAD_SERVERS protocol radius aaa-server RAD_SERVERS (inside) host 10.10.10.100 key ***** authentication-port 1812 accounting-port 1813 radius-common-pw ***** user-identity default-domain LOCAL aaa authentication serial console LOCAL aaa authentication enable console RAD_SERVERS LOCAL aaa authentication ssh console RAD_SERVERS LOCAL aaa authentication http console RAD_SERVERS LOCAL aaa accounting enable console RAD_SERVERS aaa accounting ssh console RAD_SERVERS aaa authorization http console RAD_SERVERS aaa authentication login-history http server enable http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 10.10.10.0 255.255.255.0 inside ssh timeout 10 ssh version 2 ssh cipher encryption high ssh cipher integrity high ssh key-exchange group dh-group14-sha1 console timeout 0 dhcprelay server 10.10.10.100 inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl server-version tlsv1.1 ssl client-version tlsv1.1 ssl cipher default high ssl cipher tlsv1 fips ssl cipher tlsv1.1 fips ssl cipher tlsv1.2 high ssl cipher dtlsv1 fips ssl dh-group group24 ssl ecdh-group group20 dynamic-access-policy-record DfltAccessPolicy username *** password $***$***$***==$***== *** privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global privilege cmd level 3 mode exec command perfmon privilege cmd level 5 mode exec command more privilege cmd level 5 mode exec command dir privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege cmd level 3 mode exec command vpn-sessiondb privilege cmd level 3 mode exec command packet-tracer privilege cmd level 5 mode exec command export privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command route privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command crypto privilege show level 3 mode exec command ssh privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command vpn privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command dynamic-filter privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command service-policy privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode exec command ospf privilege show level 3 mode exec command eigrp privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command crypto privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command dynamic-filter privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command aaa-server prompt hostname context no call-home reporting anonymous Cryptochecksum: : end asa01#
asa01# packet-trace input inside udp 10.10.10.1 1812 10.10.10.100 1812 detailed Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.10.10.100 using egress ifc inside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac2bf8ea0, priority=501, domain=permit, deny=true hits=4, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule asa01# ping 10.10.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa01#
Solved! Go to Solution.
10-28-2019 02:03 PM - edited 10-28-2019 02:11 PM
The RADIUS server/DC is a Windows Server 2019 VM, and apparently this is a known bug with Server 2019 that blocks the traffic despite local firewall rules allowing it. F****** Microsoft.
I had to add a duplicate rule just for RADIUS traffic and not associate it with the NPS group. I guess I just misunderstood packet-tracer! Thanks for new information though!
10-26-2019 12:35 PM
Packet tracer is used to simulate traffic passing through the ASA, not traffic going to the ASA. That is why it is failing. Your configuration looks fine, have you checked the logs on the RADIUS server?
Have you added the ASA as a network device in the AD NPS configuration? https://theitbros.com/radius-server-configuration-on-windows/
If the above is done, I would start by doing a packet capture (using the packet capture wizard in ASDM) and checking this in Wireshark to see if you are actually getting return traffic from the RADIUS server. You might also want to do a SPAN of the server port at the same time so you can correlate the capture from the ASA and the RADIUS.
10-27-2019 08:03 PM - edited 10-27-2019 08:28 PM
It isn't simulating traffic going to the ASA. It's simulating traffic originating from the ASA. If I change the source IP to a host on my inside network and run packet-trace, it is allowed. The problem is that the actual RADIUS client is the ASA itself which is getting blocked by an implicit deny. The RADIUS server logs show no connection requests.
As for my AD NPS configuration, I have the ASA enabled as a RADIUS client...
Friendly name: asa01
Address: 10.10.10.1
Shared secret: [matches]
Vendor name: Cisco
I have a Connection Request Policy with the following properties:
Client Friendly Name: asa01
Authentication: Authenticate requests on this server
Realm Name Attribute: User-Name
I have a Network Policy with the following properties:
Access Permission: Grant access
Conditions: User Groups: Cisco Admins
Constraints:
Authentication Methods: Unencrypted authentication (PAP, SPAP)
RADIUS Attributes:
Standard: Service-Type: Login
Vendor Specific: Cisco-AV-Pair: shell:priv-lvl=15
Encryption: All selected (Basic, Strong, Strongest, None)
Still broken...I have the following test aaa-server result:
asa01# test aaa-server auth RAD_SERVERS host 10.10.10.100 username *** password ***
INFO: Attempting Authentication test to IP address (10.10.10.100) (timeout: 12 seconds)
ERROR: Authentication Server not responding: No response from server
asa01#
10-27-2019 08:19 PM
Here's a debug and RADIUS test.
asa01# debug radius asa01# test aaa-server auth RAD_SERVERS host 10.10.10.100 username *** password *** INFO: Attempting Authentication test to IP address (10.10.10.100) (timeout: 12 seconds) radius mkreq: 0x80000004 alloc_rip 0x00002aaac2c8d038 new request 0x80000004 --> 114 (0x00002aaac2c8d038) got user '***' add_req 0x00002aaac2c8d038 session 0x80000004 id 114 RADIUS_REQUEST radius.c: rad_mkpkt RADIUS packet decode (authentication request) -------------------------------------- Raw packet data (length = 84)..... 01 72 00 54 c4 96 82 83 5f 03 a9 7d 1e 36 4d 32 | .r.T...._..}.6M2 d1 df 2d ab 01 07 00 00 00 00 00 02 12 13 e6 5b | ..-...*****....[ 26 06 d5 7d 04 af 25 55 52 70 03 99 33 04 06 0a | &..}..%URp..3... 0a 0a 01 05 06 00 00 00 19 3d 06 00 00 00 05 1a | .........=...... 15 00 00 00 09 01 0f 63 6f 61 2d 70 75 73 68 3d | .......coa-push= 74 72 75 65 | true Parsed packet data..... Radius: Code = 1 (0x01) Radius: Identifier = 114 (0x72) Radius: Length = 84 (0x0054) Radius: Vector: C49682835F03A97D1E364D32D1DF2DAB Radius: Type = 1 (0x01) User-Name Radius: Length = 7 (0x07) Radius: Value (String) = 00 00 00 | *** Radius: Type = 2 (0x02) User-Password Radius: Length = 18 (0x12) Radius: Value (String) = 13 e6 5b 26 06 d5 7d 04 af 25 55 52 70 03 99 33 | ..[&..}..%URp..3 Radius: Type = 4 (0x04) NAS-IP-Address Radius: Length = 6 (0x06) Radius: Value (IP Address) = 10.10.10.1 (0x0A0A0A01) Radius: Type = 5 (0x05) NAS-Port Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x19 Radius: Type = 61 (0x3D) NAS-Port-Type Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x5 Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 21 (0x15) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 15 (0x0F) Radius: Value (String) = 63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true send pkt 10.10.10.100/1812 RADIUS_SENT:server response timeout RADIUS_DELETE remove_req 0x00002aaac2c8d038 session 0x80000004 id 114 free_rip 0x00002aaac2c8d038 radius: send queue empty ERROR: Authentication Server not responding: No response from server
10-27-2019 10:34 PM - edited 10-27-2019 10:37 PM
In addition to the RADIUS server logs, I would recommend an actual packet capture on the RADIUS server.
Your ASA configuration looks mostly correct. The nat (inside,inside) lines aren't necessary.
Whether the traffic is to or from the ASA, you cannot use packet-tracer for either type. You can only use it to test synthetic packets THROUGH the ASA. That is, something arriving on a given interface and then egressing the ASA. The source IP in packet-tracer can never be any interface address of the ASA itself.
10-28-2019 02:03 PM - edited 10-28-2019 02:11 PM
The RADIUS server/DC is a Windows Server 2019 VM, and apparently this is a known bug with Server 2019 that blocks the traffic despite local firewall rules allowing it. F****** Microsoft.
I had to add a duplicate rule just for RADIUS traffic and not associate it with the NPS group. I guess I just misunderstood packet-tracer! Thanks for new information though!
10-28-2019 10:23 PM
You're welcome. Thanks for sharing your solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide