Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2473
Views
0
Helpful
6
Replies

RADIUS via Azure VPN

Go to solution
jfnk
Level 1
Level 1

‎02-17-2019 10:05 AM

Hi

 

I have put in place a new setup for a small company who require minimal onsite infrastructure (ie no servers).  I have put a pair of DCs and a file server in Azure (more servers will follow), with a couple of Cisco switches and an ASA (5516-x) on-prem, and have set up a site-to-site VPN using a Virtual Tunnel Interface.  That's all working fine, and I have been able to join the on-prem clients to the Azure-based domain controller, and access the server resources as expected.

 

Next step is to allow remote access, and I am trying to get RADIUS authentication working from the ASA to the RADIUS server in Azure (NPAS running on a Windows Srv 2016 VM).  It works ok if I use the RADIUS server's public IP, but I can't connect from the ASA to the server's native address via the VPN.  I get the error

ASA-6-110003: Routing failed to locate next hop for udp and the connection attempt times out.  sh asp table routing shows that the relevant route exists.

 

I've tried defining the RADIUS server on both the outside interface and the inside, but in both cases I get the same result, although I note that the ASDM packet tracer gives me a "success" when going via the inside interface (and being routed from there via the VTI), but fails via the outside (dropped by an implicit rule).  In both cases I should say that the route lookup succeeds, and points to the VTI interface.

 

I looked a bit at NATting, and have tried putting a rule in to tell it not to NAT - although that seems a bit superfluous given that the outside interface IP is the public IP I would normally NAT to.

 

At a basic level, does anyone know if what I'm trying to do is possible?  If the ASA's outside interface is the endpoint for the site-to-site VPN, should that interface be able to talk across the VPN itself?

 

Has anyone set up a similar RADIUS config with any success?  I'd be very glad of any insight.

 

Thanks

Jeremy

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfnk
Level 1
Level 1
In response to jfnk

‎03-19-2019 06:03 AM

After a couple of TAC WebEx sessions, this is resolved!  VPN and routing were configured ok, but to get the RADIUS to flow over the vpn I needed to add this to the config:

management-access outside

 

Once that was in place all worked as I had hoped

 

Cheers

Jeremy

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎02-17-2019 03:03 PM - edited ‎02-17-2019 03:03 PM

I am not sure if this is going to work but, can you add a route to your Radius server:

 

route outside <real IP of your Radius server> 255.255.255.255 <next hop public IP outside> 1

 

this way the ASA will route across the outside IP and use IPSEC to your azure instance(s).

 

I have had to do this many times with IPSEC  (not necissarily with Radius)

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
jfnk
Level 1
Level 1
In response to Dennis Mink

‎02-18-2019 12:45 AM

Thanks Dennis, and thanks Mohammed

 

There's a route to the subnet that the RADIUS server is on, but I've now added one specifically to that host.  Sadly, no change.

 

I know the RADIUS server is reachable via the VPN (it's also the DC and DNS server),  it's just when I try to connect to it directly from the ASA itself that I get the 110003 error.

 

Cheers

Jeremy 

0 Helpful

Go to solution
jfnk
Level 1
Level 1
In response to jfnk

‎03-19-2019 06:03 AM

After a couple of TAC WebEx sessions, this is resolved!  VPN and routing were configured ok, but to get the RADIUS to flow over the vpn I needed to add this to the config:

management-access outside

 

Once that was in place all worked as I had hoped

 

Cheers

Jeremy

0 Helpful

Go to solution
DamianKolodziej03650
Level 1
Level 1
In response to jfnk

‎01-21-2021 09:04 AM

Hi Jfnk,

i’m trying to do the same configuration like You describe, but in my scenario Radius has no public IP nad i can’t comunicate it from ASA 5515-x. 

I can Ping or RDP with WinServer 2016 (VM on Azure).
When I set up AAA Radius on ASA, i’m setting up local IP of WinServer and i’m choosing interface  Outside (there is no VTI interface to choose). 

On Radius i’ve tried setting ASA client with my public IP (outside interface IP). What was Your configuration? Does anybody can help with this?
I’ve added management-access outside.

 

 

 

0 Helpful

Go to solution
jfnk
Level 1
Level 1
In response to DamianKolodziej03650

‎02-10-2021 03:21 AM

Hi Damian

 

For me it was the management-access outside that was missing.  Other than that the config was pretty standard

 

aaa-server <RADIUS_Server_Name> protocol radius
reactivation-mode depletion deadtime 2
aaa-server <RADIUS_Server_Name> (outside) host n.n.n.n
key *****
radius-common-pw *****

 

So, same as you, in the aaa-server command it is the outside interface that is defined.  The host IP (n.n.n.n above) is the host's private IP on the Azure subnet, and there is a route defined to that subnet via the VTI tunnel.  I assume you must have that route defined since you said you are able to ping/RDP to the host.

 

On the Radius server, the client is defined with the ASA's outside interface IP address.   That address must also be included as an address space in the Local network gateway definition in your Azure Site-to-Site VPN config.

 

Cheers

Jeremy

 

 

 

 

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-17-2019 07:32 PM

Do you have a route to radius through the VTI interface.?
0 Helpful
Customers Also Viewed These Support Documents