Re: VPN radius authentication proxied through IAS to RSA Server

rswitzer · ‎11-04-2008

Hi,

I need to proxy ASA VPN authentication requests via Radius through an IAS Radius Server to and RSA Radius Server. I thought I had it all setup properly - the "TEST" button in ASDM authenticates successfully to the IAS Server with an account proxied to the RSA Radius Server. However, authentication requests from the AnyConnect SSL VPN client fail to authenticate. Even from the same account as used prior via the ASDM "Test" button for authentication servers.

I know the request is actually reaching the RSA Server as it shows in the logs as a failed auth request.

Why would the ASDM auth Test be successful and the AnyConnect auth attempt fail - aren't they the same process? I'm stumped!!

I'm stumped! =P

drolemc · ‎11-10-2008

let's try taking out authentication..

If this works then we have several options.

1. The key between the pix and the radius is wrong

2. Missconfiguration on the radius server, maybe the user and password is different from what the vpn client is sending.

3. That radius server could be working in non standard ports and pix and this server won't be able to comunicate Configurable RADIUS Ports (5.3 and Later)

Some RADIUS servers use RADIUS ports other than 1645/1646 (usually 1812/1813). In PIX 5.3 and later, the RADIUS authentication and accounting ports can be changed to other than the default 1645/1646 with the following commands:

aaa-server radius-authport #

aaa-server radius-acctport # .

rswitzer · ‎11-10-2008

The issue is with the authentication method on the RSA Radius Server. If password-management is enabled on the tunnel policy in the ASA, this forces all authentication to use MSChapV2, the RSA Radius Server does not appear to support MSChap, so auth fails. Turning off password-management allows this to work, but inderictly. The best solution woudl be to be able to use MSCHAPV2 on the RSA Radius Server.