Has anyone seen an issue with using RADIUS between a Cisco ASA5510 and a Windows 2008 NPS server? I had an issue some time ago where I continuously see both configured RADIUS servers marked as failed and then marked and active over and over. After a Windows 2008 server update, the RADIUS issue went away. Just recently it started again. I'm not sure if a Windows update caused it to start happening again.
Thanks for any replies,
Could you please provide the following info?
- ASA software version
- related AAA configuration on ASA.
- when the issue happens, please capture the following commands on ASA
show cpu usage
show aaa-server (multiple times to show it is marked as failed)
Also check your windows server's status when the issue happens.
ASA version s 8.2(2)
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.1
aaa-server RADIUS (inside) host 192.168.1.2
aaa-server RADIUS (inside) host 192.168.1.3
All tunnel-groups contain "accounting-server-group RADIUS" and "authentication-server-group RADIUS"
The RADIUS server returns the VPN group assignment as OU=VPNgroup
I just did a packet capture on the RADIUS exchane and see the below happening.
RADIUS response with correct OU assignment
RADIUS response with incorrect OU assignment
same time passes
syslog sent stating RADIUS server failed
tries a few more times, if the RADIUS server ever replies with the correct OU it will succeed otherwise it will timeout.
This appears to be a Window 2008 NPA issue.
Here's another indecator pointing toward the RADIUS server. When I do a packet capture I see the response from the RADIUS server for both the failures and the successes. The difference is that Wireshark is able to identify which response goes to which request for the successful logins, but not for the failures.
I see in the successful response packet this message : "This is a response to a request in frame x". I don't see this in the response that times out.
When I get a login timeout, I see both the request and response packets to/from the RADIUS server. Wireshark doesn't recognize the pair to be related.
From what I am able to read in the packet capture nothing stands out to me that the response isn't formatted correctly.
Thanks for looking this for me.
This issue was with the Windows 2008 server. After the latest patches, the issue is now gone. It was the previous patch that had started it. This has happened twice this year. I'm not sure which patches broke it and which ones fixed it.
Someone just voted as having the same issue. If memory is correct, this issue had to do with a patch that updated trusted CAs. This list was so long that It was truncated on the server. We had to remove unused CA certs to fix the issue. To the person that voted, can you let me if this is your issue?
Hei @Mark, it was me.
So, in fact I thought it could be the same problem, we did not solve it yet, but it is appearing to be some application issue.
I keep this post updated when we finally solved the question.