10-16-2013 02:03 AM
Hi
I wonder if anyone can help
I have an ASA5505 setup to provide an encrypted tunnel across out internal lan. The outside address is on our internal lan. When I try to connect to it using radius authentication it fails. I can ping the radius server from the ASA using the ping tool in the ASDM.
I am sure it is some sort of access rule but cannot figure it out
ASA ( outside interface 10.25.200.30 connects to switch 10.25.200.1 radius server is 10.40.6.75
as I said I canb ping but when I do the radius test it just times out.
I have run debug and get the following. ( ip addresses are not the actual but have been changed to allow comparison)
ASA5505-GrimCentralLib-01# debug aaa authentication
debug aaa authentication enabled at level 1
ASA5505-GrimCentralLib-01# debug radius all
ASA5505-GrimCentralLib-01# term mon
ASA5505-GrimCentralLib-01# radius mkreq: 0x80000009
alloc_rip 0xca135518
new request 0x80000009 --> 48 (0xca135518)
got user 'brokes'
got password
add_req 0xca135518 session 0x80000009 id 48
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 64).....
01 30 00 40 1b b8 91 f6 f7 64 cd 82 93 d0 c9 ce | .0.@.....d......
ef fc 85 da 01 08 62 72 6f 6b 65 73 02 12 c9 df | ......brokes....
f6 15 93 9a c0 17 ff 71 4f 11 40 90 8a 0e 04 06 | .......qO.@.....
00 00 00 00 05 06 00 00 00 22 3d 06 00 00 00 05 | ........."=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 48 (0x30)
Radius: Length = 64 (0x0040)
Radius: Vector: 1BB891F6F764CD8293D0C9CEEFFC85DA
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
62 72 6f 6b 65 73 | brokes
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
c9 df f6 15 93 9a c0 17 ff 71 4f 11 40 90 8a 0e | .........qO.@...
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 0.0.0.0 (0x00000000)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x22
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.40.6.75/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xca135518 session 0x80000009 id 48
free_rip 0xca135518
radius: send queue empty
Any help would be appreciated
Steve Brokenshire
10-16-2013 12:05 PM
are you using the correct interface for radius:
aaa-server RAD protocol radius
aaa-server RAD (outside) host 10.40.6.75 Cisco1234
route outside 10.40.6.75 255.255.255.255 next_hop_ip...
On the server, you need to configure the outside IP address of the ASA with the key...
Patrick
10-17-2013 12:16 AM
Yes I have that all setup and I can ping the radius server from the ASA so routing is working.
The radius logs do not show any failed attempts at authentication and I have setup the device as a client with the correct shared key.
10-17-2013 03:09 AM
Have you tried pinging radius server w/ outside as sourced interface
ping outside 10.40.6.75
Is that working? Do we have any other devices that might be blocking radius communication between ASA and radius server?
~BR
Jatin Katyal
**Do rate helpful posts**
10-17-2013 03:28 AM
when I log onto the ASA using a local username and password and run the asdm. If I use the ping option in tools I can ping the radius server with no problem.
10-17-2013 03:34 AM
can you try from CLI in this format please
ping outside 10.40.6.75
do attach the following outputs:
sh run aaa-server
show run tunnel-group
~BR
Jatin Katyal
**Do rate helpful posts**
10-17-2013 05:06 AM
have done that it pings successfully
10-17-2013 05:10 AM
thanks for performing that. now, I am thinking if traffic even reaching there at radius server for radius authentication port UDP 1645 or 1812. What kind of radius server are you using? can we run the packet capture on the radius server or switch interface where we have radius server connected.
~BR
Jatin Katyal
**Do rate helpful posts**
10-17-2013 05:35 AM
it is Juniper ( Funk) Steel Belted Radius
I will try to setup a packet capture but might take some time.
Thanks for your help so far anyway
10-20-2013 01:12 PM
yeah that would be a right step if you are up for troubleshooting it further. You can also try and reload the radius server to eliminate any problem with the radius server or services.
~BR
Jatin Katyal
**Do rate helpful posts**
10-16-2013 06:24 PM
What does the RADIUS server say? Does it recieve the request? If the client is not in the RADIUS server's list or if the shared key is wrong, it will not reply.
10-17-2013 06:58 AM
Is there another firewall between the RADIUS server and the ASA? If so, is it configured to allow the RADIUS traffic through? I know it allows pings, but does it allow RADIUS?
Also, I see the RADIUS packets are being sent to port 1645. Is the RADIUS server configured to use that port as well, or does it only use the new RFC port of 1812. I assume that it does, but check anyway.
If you look at the logs on the ASA and filter for 10.40.6.75 does it tell you anything?
Sachin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide