Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
5
Helpful
2
Replies

ASA Radius server

John Blakley
VIP Alumni
VIP Alumni

‎09-22-2009 06:45 AM - edited ‎03-11-2019 09:18 AM

All,

I have an ASA at a DR site that I would like to be able to have it authenticate our telnet sessions via radius. The problem is that the radius server is at 10.10.10.52 and it would be out of the management interface. If I change the radius server configuration to point to the management interface instead of the inside interface, this works fine. I would LIKE to be able to have the same IP address on both the management and inside interfaces because if our main site goes down, then this ASA serves our VPN connections and authenticates to the same radius server. If the radius server is set to the management interface and the link between the DR and corporate goes down, then no one can authenticate if the corporate site were to go down. (We noticed this from a DR test over the weekend.)

My first thought was to create another radius server pointing to the same address on a different interface and change my aaa lines to reflect which radius server it should use, but because the same inside ip is used on this ASA as our corporate site, then this wouldn't work. The management ip address is 10.20.20.1 and the inside ip address is 10.10.10.67. Is there a way work around this? I don't think statics will work since the 10.10.10.0/24 is connected.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
2 Replies 2

Yudong Wu
Level 7
Level 7

‎09-22-2009 01:10 PM

Not clear with your question but here is the behavior which I got on ASA version 8.0.

1. You can use "aaa-server (intf-name) host" command to point to the same aaa-server IP with different interface name.

2. The interface in the above command must be the same interface from routing point of view to reach AAA server. If not, the packet won't be sent to AAA server.

3. Source IP of AAA packet will be the ip on the outgoing interface of ASA. Therefore, if ASA will use different interface to reach aaa-server when in different situation, AAA server will see a different source IP. In this case, you must add both IPs as AAA client on AAA server.

HTH.

Florin Barhala
Level 6
Level 6
In response to Yudong Wu

‎06-08-2018 04:48 AM - edited ‎06-08-2018 04:49 AM

For anyone else encountering ASA "source-interface" for RADIUS, read again the previous post at no2:

2. The interface in the above command must be the same interface from routing point of view to reach AAA server. If not, the packet won't be sent to AAA server.

Long story short, you cannot PICK the source interface for RADIUS connections on ASA: everytime it's just the outgoing (routing table to decide) interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card