Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2304
Views
0
Helpful
2
Replies

NAT and radius

leungcm
Level 1
Level 1

‎08-20-2007 05:31 AM - edited ‎03-03-2019 06:23 PM

Hi,

We setup a radius server for authentication. R1 is Internet gateway, R2 is behind the internet gateway with internal segment (192.168.x.x). We can use the radius to

auth for R2. It means that we can telnet the R2 and using radius account to login the R2 router. However, it fails to auth when login to R1. Detail router config please refer following.

We guess that the issue is the NAT but I have no any idea to solve it, please advise

Best regards

=====

R1

!

aaa group server radius RadiusServers

server 192.168.10.10 auth-port 1812 acct-port 1813

!

interface GigabitEthernet0/1

ip address 195.x.x.113 255.255.255.240

!

ip route 0.0.0.0 0.0.0.0 <isp gateway>

ip route 192.168.10.10 255.255.255.255 195.x.x.114

R2

!

aaa group server radius RadiusServers

server 192.168.10.10 auth-port 1812 acct-port 1813

!

interface GigabitEthernet0/0

ip address 195.x.x.114 255.255.255.240

ip nat outside

!

interface GigabitEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

ip route 0.0.0.0 0.0.0.0 195.x.x.113

!

ip nat pool NAT_OUT 195.x.x.114 192.x.x.114 netmask 255.255.255.240

ip nat inside source route-map nonat pool overload NAT_OUT

!

route-map nonat permit 10

match ip address 155

!

access-list 155 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 155 deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 155 permit ip 192.168.10.0 0.0.0.255 any

!

!

!

radius server

ip address: 192.168.10.10

default gateway point to 192.168.10.1

Labels:
0 Helpful
2 Replies 2

Danilo Dy
VIP Alumni
VIP Alumni

‎08-20-2007 06:48 AM

Hi,

1. What RADIUS are you using? Did you check if it has a client configuration for 195.x.x.113? It may have a client configuration only for 192.168.10.1 or 192.168.10.0/24

2. Since you NAT to 195.x.x.114, I suggest you change the config in R1 from;

server 192.168.10.10 auth-port 1812 acct-port 1813

to;

server 195.x.x.114 auth-port 1812 acct-port 1813

I think some IOS can add "radius source-interface" command, you may want to include this in;

R1

ip radius source-interface GigabitEthernet0/1

R2

ip radius source-interface GigabitEthernet0/1

Regards,

Dandy

0 Helpful

leungcm
Level 1
Level 1
In response to Danilo Dy

‎08-20-2007 09:05 AM

Hi,

the radius is freeradius. the radiuscan can auth with all internal routers 192.168.x.x). no matter the router in tw or usa. However fail to auth the internet gateway (with "ip nat outside" command).

Could you give me some idea regarding the "radius source-interface"? do we change the NAT setting? pls advise

Best regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card