authenticating to a vpn over a public interface

Unanswered Question
Jun 10th, 2010

I have a fully functional radius server that we use for authenticating with our wireless networks.  That all works properly, so there are no issues with the server.


However now that I am trying to set up our ASA 5510 to authenticate witht the server, I keep getting the wollowing error:


ciscoasa# test aaa-server authentication IGBRADIUS host XXX.YYY.ZZZ.QQQ username XXXX password XXXX
INFO: Attempting Authentication test to IP address <XXX.YYY.ZZZ.QQQ> (timeout: 10 seconds)
ERROR: Authentication Server not responding: No error


The only curveball that I can see that I might be throwing on this is that the server will be on the public side of the VPN instead of the private as is shown in most of the howtos.


interface Ethernet0/0
nameif igbpublic
security-level 0
ip address  interface_IP 255.255.252.0
!
interface Ethernet0/1
nameif igbprivate
security-level 50
ip address interface_IP 255.255.255.0
!


aaa-server IGBRADIUS (igbpublic) host 128.174.124.54
timeout 5
key igbvpnkey


Do you have to have the radius server on the internal network, or can you get away with having it on a public interface?  Outside of the NAT interface, the only access list that I have is:


access-list 101 extended permit ip private-ip-start 255.255.255.0 vpn-pool-start 255.255.255.0



thanks,


Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 06/10/2010 - 14:30

Hi Daniel,


You should be able to authenticate against an ''outside'' RADIUS.


There are some debugs that can help see what's going on:

i.e


debug aaa authentication

debug radius all


Federico.

Daniel Davidson Thu, 06/10/2010 - 14:55

Thanks for the info turns out cisco is using 1645/6 as the radius port, and I need to set it to be 1812/1813.


Anyone know where to do that?


Dan

Federico Coto F... Thu, 06/10/2010 - 14:59

Yes,


Under the aaa-server IGBRADIUS (igbpublic) host 128.174.124.54 you specify the ports.


Federico.

Daniel Davidson Mon, 06/14/2010 - 12:04

Thank you for everyone's help to this point.  The vpn is contacting the radius server now, but it seems that the username/password fields are different than what the server is expecting, causing all authentication attempts to fail.


On our wireless, a standard radius authentication gives a line like:


Mon Jun 14 13:55:49 2010 : Auth: Login OK: [usera/] (from client 1e port 16650 cli 0024.367b.f707)


that no user-password attribute part is exactly like it appears in the logs, only username is changed there.


whereas when the vpn tries to contact the RADIUS server, I get the following


Mon Jun 14 13:55:42 2010 : Auth: Login incorrect: [username/password] (from client igbvpn port 20)


where the username and password are the actual username and password.  Any suggestions?


Dan

Daniel Davidson Tue, 06/15/2010 - 08:14

Now that I do some more digging, it seems like the ASA is not asking

the radius server to perform authentication via eap.  Is there a setting that

does this?


Dan

Daniel Davidson Thu, 06/17/2010 - 08:10

As it turns out, my radius machine, freeradius-1.1.5-1, has a problem with cisco authentication via mschap.  I put a newer version of radius on another server and authentication works fine now.


Dan

Actions

This Discussion