VPN Radius authentication failure since upgrade from PIX to ASA

matthewatt · ‎05-15-2012

I recently put an ASA in place of a PIX on our network. I am pretty sure I have things setup correctly, however, I'm getting an error message when authenticating with the Cisco VPN client. The group name and password are authenticating fine, as I'm getting a prompt for the username and password, and that seems to be where it's failing. The ASA is configured to send those attributes to a Radius server. The VPN client reports back "secure vpn connection terminated by peer". When I enable debug on the ASA while attempting authentication, I get the following:

"

ASA-FW/pri/act# AAA API: In aaa_open

AAA session opened: handle = 48

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0xc839b638) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: radiusauth)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 192.168.100.5

AAA FSM: In AAA_SendMsg

User: test

Resp:

callback_aaa_task: status = -3, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 48, pAcb = 0xcb84b2c4

AAA task: aaa_process_msg(0xc839b638) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: -3 (ERROR)

AAA FSM: In AAA_Error

ERROR: Invalid response received from server

AAA FSM: In AAA_Callback

user attributes:

None

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = ERROR

AAA API: In aaa_close

AAA task: aaa_process_msg(0xc839b638) received message type 3

In aaai_close_session (48)"

Also, one reason I don't think it's related to something in my VPN config, I also run the ASA's "test aaa-server" command, which should take the VPN piece out of the equation, and simply test authentication to the Radius from the ASA. Here is what I receive on the debug when I do that:

"

RADAR-FW/pri/act# test aaa-server authentication radiusrauth

Server IP Address or name: 192.168.100.5

Username: test

Password: *************

INFO: Attempting Authentication test to IP address <192.168.100.5> (timeout: 10 seconds)

callback_aaa_task: status = -3, msg =

ERROR: Authentication Error: Invalid response received from server"

Does anyone have any idea how to get further info on what is going on from the ASA? I don't have access to the Radius server, unfortunately. But if we put the old PIX back in place, things work fine.

Julio Carvajal · ‎05-15-2012

Hello,

As you cannot simply get a succesfull message over the Radius server I would say there is something wrong with the

Radius Server ( Related to the ASA). Can you get into the Radius server and check that you have add it the ASA as the client.

Can you provide the ASA configuration related to the Radius configuration?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

matthewatt · ‎05-16-2012

The Radius server is supported by another group and I am not getting far with them. They are not providing me back with any logging, etc. The ASA that took the place of the PIX has the exact same addressing, so I'm assuming the Radius server would not need any updates to talk to the new firewall, but I don't know anything about the server so that's speculation on my part. Would you agree that me using the "test aaa authentication" command on my ASA is taking my VPN config out of the equation as being incorrect? Thanks

Julio Carvajal · ‎05-16-2012

Hello Matt,

You are 100 % sure, the problem is between the ASA and the radius right now ( VPN is out of the picture)

Regards,

Let me know if there is something else I can do for you.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC