08-24-2010 05:36 AM
Has anyone seen an issue with using RADIUS between a Cisco ASA5510 and a Windows 2008 NPS server? I had an issue some time ago where I continuously see both configured RADIUS servers marked as failed and then marked and active over and over. After a Windows 2008 server update, the RADIUS issue went away. Just recently it started again. I'm not sure if a Windows update caused it to start happening again.
Thanks for any replies,
Mark
08-24-2010 09:40 AM
Could you please provide the following info?
- ASA software version
- related AAA configuration on ASA.
- when the issue happens, please capture the following commands on ASA
show cpu usage
show aaa-server (multiple times to show it is marked as failed)
Also check your windows server's status when the issue happens.
08-24-2010 10:45 AM
Hello Yudong,
ASA version s 8.2(2)
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server RADIUS (inside) host 192.168.1.2
key *****
aaa-server RADIUS (inside) host 192.168.1.3
key *****
All tunnel-groups contain "accounting-server-group RADIUS" and "authentication-server-group RADIUS"
The RADIUS server returns the VPN group assignment as OU=VPNgroup
I just did a packet capture on the RADIUS exchane and see the below happening.
Success
RADIUS request
RADIUS response with correct OU assignment
Failure
RADIUS request
RADIUS response with incorrect OU assignment
same time passes
syslog sent stating RADIUS server failed
tries a few more times, if the RADIUS server ever replies with the correct OU it will succeed otherwise it will timeout.
This appears to be a Window 2008 NPA issue.
08-24-2010 11:04 AM
Your code version ruled out a bug which I am suspecting to. So, agree, the issue might be on Windows server side.
08-24-2010 12:45 PM
Here's another indecator pointing toward the RADIUS server. When I do a packet capture I see the response from the RADIUS server for both the failures and the successes. The difference is that Wireshark is able to identify which response goes to which request for the successful logins, but not for the failures.
I see in the successful response packet this message : "This is a response to a request in frame x". I don't see this in the response that times out.
When I get a login timeout, I see both the request and response packets to/from the RADIUS server. Wireshark doesn't recognize the pair to be related.
From what I am able to read in the packet capture nothing stands out to me that the response isn't formatted correctly.
Thanks for looking this for me.
Thanks,
Mark
09-28-2010 12:02 PM
This issue was with the Windows 2008 server. After the latest patches, the issue is now gone. It was the previous patch that had started it. This has happened twice this year. I'm not sure which patches broke it and which ones fixed it.
11-30-2014 12:46 PM
Someone just voted as having the same issue. If memory is correct, this issue had to do with a patch that updated trusted CAs. This list was so long that It was truncated on the server. We had to remove unused CA certs to fix the issue. To the person that voted, can you let me if this is your issue?
12-05-2014 04:32 AM
Hei @Mark, it was me.
So, in fact I thought it could be the same problem, we did not solve it yet, but it is appearing to be some application issue.
I keep this post updated when we finally solved the question.
Thankss
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide