ASA 5510, RADIUS Authentication routing problem

Unanswered Question
Nov 26th, 2007
User Badges:

Hi,


I have an ASA 5510 that I'm trying to configure RADIUS authentication for remote access users.


The RADIUS server is accessible over a lan2lan VPN on the outside interface. The IPSec tunnel protects data between the inside lan and the remote host RADIUS server and this has been tested OK from behind the ASA device so I'm happy the tunnel is working and the radius server is responding to Authentication requests.


The problem I have is when I test AAA authentication from the ASA device itself. In the AAA server config the RAIUS server is configured on the inside interface (192.168.32.57) but when I run the basic test, either from command line or from within ASDM I always get the same error in the logs.


"No route to RSAServer(10.97.24.24) from 192.168.32.57"


I have attached a cut down config that I have been testing with to demonstrate the problem. I sense this must be a really basic problem but I've tried many things including putting a static route for the RSAServer to no effect.


Any help would be greatly appreciated. Many thanks for your time.


Simon



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
simonmoss Tue, 11/27/2007 - 04:24
User Badges:

I have found a fix for the above. All that is required is the following command:


management-access inside


which seems to allow VPN traffic to hit the designated interface



Linxin qian Tue, 11/27/2007 - 13:38
User Badges:

I have similar issue.

Even management-access inside is configured, but if I assign authentication server outside, it still uses outside ip address for authentication. I wonder whether there is a command like Cisco router,"ip tacacs source-interface inside".


Please clarify. Thanks

simonmoss Wed, 11/28/2007 - 02:46
User Badges:

when configuring the aaa-server try the following:


aaa-server (inside) host


which allows you to specifiy the source interface.

Linxin qian Wed, 11/28/2007 - 07:36
User Badges:

Thanks for update!


As long as it is configure for inside, ASA will use inside ip for authentication request, it will send authentication request to inside subnet. Now we went back to original post: route fail, since the authentication server, whatever it is Tacacs or radius, actually is outside. Then the packet is dropped.


That is what I got so far.

Actions

This Discussion