02-23-2024 12:33 AM
Dear Community,
We are trying to get Radius authentication to work for one of our ASA´s.
It is working for every ASA except ASA1.
following structure is given:
ASA1:
GigabitEthernet0/1
nameif transfer-ASA1-ASA2
security-level 10
ip address 194.1.1.1 255.255.255.240
GigabitEthernet0/3
nameif TS
security level 90
ip address 192.168.4.1 255.255.255.0
<Transfer Network between ASA1 and ASA2>
ASA2:
GigabitEthernet0/2
nameif transfer-ASA1-ASA2
security-level 0
ip address 194.1.1.5 255.255.255.240
<VPN ASA2 to ASA3>
ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240
<Transfer Network between ASA3 and ASA4>
ASA4:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240
GigabitEthernet0/1.1
vlan 10
nameif service-hosts
security level 66
ip address 10.10.10.1 255.255.255.0
We are trying to authenticate ASA1 to Radius Server 10.10.10.50 located behind Interface "service-hosts" on ASA4.
if doing the following:
- Access ASA1 via ASDM from Host behind Interface "TS" (192.168.4.5) I am able to login with local account
- issue "test aaa-server authentication RADIUS host 10.10.10.50 username xxxx password xxxx"
We can observe on the Radius host itself that everything is fine, request received and successfully authenticated:
Thu Feb 22 14:40:20 2024 : Auth: (1488) Login OK: [xxxx] (from client xxxx port 77)
whilst on ASA1 we are prompted with:
"INFO: Attempting Authentication test to IP address (10.10.10.50) (timeout: 12 seconds)
ERROR: Authentication Server not responding: No response from server"
The logging shows connection immediatly beeing torn down:
Teardown UDP connection 3616867950 for TS:10.10.10.50/1812 to identity:192.168.4.1/61407 duration 0:00:00 bytes 171
Built outbound UDP connection 3616867950 for TS:10.10.10.50/1812 (10.10.10.50/1812) to identity:192.168.4.1/61407 (192.168.4.1/61407)
Note:
On ASA1 Interface "TS" is configured as Management Access Interface (Device Management => Management Access => Management Interface)
Radius Server Host 10.10.10.50 is located behind interface "service-hosts" on ASA4.
Radius config on ASA1:
aaa-server MGMT protocol radius
aaa-server MGMT (TS) host 10.10.10.50
key *****
authentication-port 1812
accounting-port 1813
Does somebody have any advice here why this is not working?
For the other ASAs it is working.
Best regards
02-23-2024 02:19 AM
I am assuming that you added ASA1 as a client on the RADIUS server with its IP 192.168.4.1. Could you please run some packet capture on ASA4's interface Gi0/1.1 filtering the capture with ASA1 and the RADIUS server IPs and share the output for review?
cap RADIUS-TRAFFIC inter service-hosts match udp host 192.168.4.1 host 10.10.10.50 eq 1812
cap RADIUS-TRAFFIC inter service-hosts match udp host 10.10.10.50 eq 1812 host 192.168.4.1
02-26-2024 01:23 AM
Hello,
Yes it is added with IP 192.168.4.1 as a Client. If this would not be correct then I think I will not get "login OK" on Radius.
If typing in a wrong password the Radius is saying "incorrect password".
Below you can find the capture:
3 19.909666 192.168.4.1 10.10.10.50 RADIUS 133 Access-Request id=68
4 19.893676 10.10.10.50 192.168.4.1 RADIUS 130 Access-Accept id=68
02-27-2024 04:02 PM
Found problems always sourcing traffic for Radius from the LAN traversing the same device, may i suggest you try using ASA1: GigabitEthernet0/1 instead
02-27-2024 11:50 PM - edited 02-27-2024 11:51 PM
thanks for your answer.
So you mean traffic should exit and come back via external ASA1: GigabitEthernet0/1 or new Radius host should be placed behind Interface at ASA1?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide