Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
5
Helpful
5
Replies

Radius connection for Cisco Anyconnect over Site-to-Site VPN

Anton6
Level 1
Level 1

‎10-19-2018 01:13 AM - edited ‎03-03-2019 08:55 AM

Hi,

 

I have a client with a Cisco 5506 running Cisco Anyconnect VPN at their office. I need to authenticate the Cisco anyconnect VPN connections though a radius server that is located at another site behind another Cisco 5506. The firewalls have an IPsec set up between them. When I connect with an local account to the Cisco Anyconnect VPN in the clients FW everything works and I can reach the radius server with ping etc.

 

However when I run the radius authentication test in the clients ASA it fails.

 

Is this possible to achive?

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Ben Walters
Level 3
Level 3

‎10-25-2018 08:25 AM

It should be possible we have several remote devices that use RADIUS auth through a VPN tunnel. 

 

When you run the RADIUS test from the remote ASA do you see anything being blocked on the far side? 

 

You may need to specify the RADIUS source interface, right now it might be trying to send the request from an interface/address that is being blocked/not tunneled. 

0 Helpful

Anton6
Level 1
Level 1
In response to Ben Walters

‎10-26-2018 05:13 AM

Thank you for your reply.

 

I see no traffic regarding the test on the other ASA in the logs when I do the connectivity test.

  • How do I see/change the radius source interface?
0 Helpful

Ben Walters
Level 3
Level 3

‎10-26-2018 12:17 PM

The interface is specified when you add the AAA server to the firewall. 

 

Something like this:

aaa-server <AAA server group> (<interface name>) host x.x.x.x

So if you had a server group called "radius" and the traffic should be sent to the outside interface to a server at 172.16.15.11 the command would be 

aaa-server radius (<outside>) host 172.16.15.11

Then you would just specify any other options below that like port numbers, key, etc.

 

0 Helpful

Anton6
Level 1
Level 1
In response to Ben Walters

‎03-25-2019 07:08 AM

Solution was to add put the radius to go out on outside interface and then to add the outside IP in IPSEC as local network, and then as remote network on the other firewall.

 

Richard Burts
Hall of Fame
Hall of Fame
In response to Anton6

‎03-26-2019 02:40 PM

Thanks for the update telling us that you did find a solution for your issue and explaining what the solution was. (and +5 for this). I am glad to know that you have found your solution. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents