Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
3
Replies

SSG Problem

stephan.ochs
Level 1
Level 1

‎10-10-2007 12:16 AM

Hi

I'm trying to set up a 2811 with SSG as radius proxy.

I followed the instructions from http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hssg_c/ssg_rpxh.htm

but can't get it running.

I always get an error like "received unsolicited RADIUS packet".

Can anyone explain why?

Thanks

Stephan

Labels:
0 Helpful
3 Replies 3

wdrootz
Level 4
Level 4

‎10-16-2007 06:55 AM

Before you configure SSG, you have to verify the following:

SSD, SSG, and Authentication, Authorization, and Accounting (AAA) are all running, and all network entities can ping one another.

The remote user can ping any host in the default network (SSG, SSD, AAA) before logging on to the SSD server.

The remote client cannot ping the remote service destination network.

After all the SSG commands are configured, you must verify that the next hop table for the user's services has been successfully downloaded. Issue the show ssg binding command.

show ssg binding

show ssg next-hop

show ssg direction

0 Helpful

ranilgamage
Level 1
Level 1

‎12-14-2007 05:28 AM

Hi Stephan,

Were you able to get any updates on this?

I'm also in need of some information about the SSG functionality on a c2811 with c2800nm-adventerprisek9-mz.124-3f.bin.

Thanks,

Ranil

0 Helpful

stephan.ochs
Level 1
Level 1
In response to ranilgamage

‎12-14-2007 06:06 AM

Hi Ranil

Yes, meanwhile it works. I found it out myself. The main problem is, that I configured too much.

Radius Proxy is a very small configuration. If you configure one SSG option too much, it doesn't work any more.

The second problem I stepped in was that I tried to work with "aaa group server" for the Radius servers. SSG Radius Proxy can't work with it. I don't know why, but you have to configure them as global Radius proxies on the Router.

Here are my configuration snippets:

=============================

=== global configurations ===

=============================

aaa new-model

ip cef

ssg enable

ip radius source-interface FastEthernet0/1

radius-server host 172.20.10.10 auth-port 1812 acct-port 1813 key xyz

=============================

=== radius clients that send requests to the SSG, one "client-address..." entry for each ===

=============================

ssg radius-proxy

server-port auth 1812 acct 1813

client-address 10.10.10.10

key abcdefg

session-identifier username

no host-route insert

!

client-address 10.10.10.11

key abcdefg

session-identifier username

no host-route insert

!

client-address 10.10.10.12

key abcdefg

session-identifier username

no host-route insert

.

.

.

=============================

=== interface configuration(s) ===

=============================

interface FastEthernet0/0

no ip address

shutdown

duplex full

speed 100

!

interface FastEthernet0/1

description *** Radius-Proxy ***

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

ssg direction downlink

Greetings

Stephan

0 Helpful
Customers Also Viewed These Support Documents