06-25-2014 06:09 AM - edited 03-07-2019 07:49 PM
Hi All,
Please see the attached diagram.
I have a customer whose AAA server is behind a firewall. It will only accept RADIUS packets from one source address - 192.168.46.1
In order to facilitate this, I have added a router to statically NAT the RADIUS source to the correct address.
From the WLC (RADIUS source) I can ping the 46.1 address of the router. I cannot ping the 46.254 address from the WLC
From the router however, I can ping 46.252 - 254 so I know they reply. I have assumed that the non-Cisco firewall is running VRRP with .254 as the VIP.
If I send a test RADIUS auth request from the WLC, I see the router translate the outbound packets but nothing comes back.
Any thoughts anyone?
06-25-2014 08:34 AM
Couple of thoughts/questions
How is that firewall working? Is it just a L2/Virtual Wire setup? By the looks of the connections and IP addresses, it must be L2. But any time I've worked on firewalls at L2, they don't have IP addresses assigned to their interfaces that pass traffic. That's usually done in a routed configuration and they are on different subnets. These are on the same subnet but are on 2 different interfaces.
The MAC addresses look odd also, a little off from typical vrrp. If the firewall was running vrrp on .254, then it should be in the arp table, which it's not included in the snippet you provided. The mac address for .252 indicates the vendor is Nexcom, which I'm not familiar with.
Also, if there's vrrp, is there a second firewall unit not shown on your drawing? Can you ping the radius server from the router?
06-26-2014 03:29 AM
Hi there,
The firewall must be in routed mode.
I agree that the MAC addresses look messed up:
Internet 192.168.46.254 0 0000.5e00.0002 ARPA FastEthernet0/0
Internet 192.168.46.252 84 0010.f333.c916 ARPA FastEthernet0/0
Internet 192.168.46.253 0 0000.5e00.0002 ARPA FastEthernet0/0
Internet 192.168.46.250 144 0000.5e00.0002 ARPA FastEthernet0/0
Internet 192.168.46.251 144 0000.5e00.0002 ARPA FastEthernet0/0
I have recreated the environment in GNS3 and it works perfectly. That is with a router interface mimicking the customer firewall.
The site firewall is a pair of appliances which my drawing does not show.
They must be NATing the 192.168.46.x/24 network to another private subnet where the RADIUS server resides.
In answer to your question, I cannot ping the RADIUS server from the router but I am told by their security team that there is an ACL blocking inbound ICMP requests.
06-26-2014 08:18 AM
What does the security team see in their logs for the RADIUS attempts from .46.1?
06-26-2014 08:44 AM
That their firewall config was bunkum.
They have amended their config and it's all working fine :)
Thank you for your input. Logic said that the problem was on their side but the ICMP issue threw me.
Thanks again,
Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide