authenticating to a vpn over a public interface

Unanswered Question
Jun 10th, 2010
User Badges:

I have a fully functional radius server that we use for authenticating with our wireless networks.  That all works properly, so there are no issues with the server.

However now that I am trying to set up our ASA 5510 to authenticate witht the server, I keep getting the wollowing error:

ciscoasa# test aaa-server authentication IGBRADIUS host XXX.YYY.ZZZ.QQQ username XXXX password XXXX
INFO: Attempting Authentication test to IP address <XXX.YYY.ZZZ.QQQ> (timeout: 10 seconds)
ERROR: Authentication Server not responding: No error

The only curveball that I can see that I might be throwing on this is that the server will be on the public side of the VPN instead of the private as is shown in most of the howtos.

interface Ethernet0/0
nameif igbpublic
security-level 0
ip address  interface_IP
interface Ethernet0/1
nameif igbprivate
security-level 50
ip address interface_IP

aaa-server IGBRADIUS (igbpublic) host
timeout 5
key igbvpnkey

Do you have to have the radius server on the internal network, or can you get away with having it on a public interface?  Outside of the NAT interface, the only access list that I have is:

access-list 101 extended permit ip private-ip-start vpn-pool-start



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/10/2010 - 14:30
User Badges:
  • Green, 3000 points or more

Hi Daniel,

You should be able to authenticate against an ''outside'' RADIUS.

There are some debugs that can help see what's going on:


debug aaa authentication

debug radius all


Daniel Davidson Thu, 06/10/2010 - 14:55
User Badges:

Thanks for the info turns out cisco is using 1645/6 as the radius port, and I need to set it to be 1812/1813.

Anyone know where to do that?


Federico Coto F... Thu, 06/10/2010 - 14:59
User Badges:
  • Green, 3000 points or more


Under the aaa-server IGBRADIUS (igbpublic) host you specify the ports.


Daniel Davidson Mon, 06/14/2010 - 12:04
User Badges:

Thank you for everyone's help to this point.  The vpn is contacting the radius server now, but it seems that the username/password fields are different than what the server is expecting, causing all authentication attempts to fail.

On our wireless, a standard radius authentication gives a line like:

Mon Jun 14 13:55:49 2010 : Auth: Login OK: [usera/] (from client 1e port 16650 cli 0024.367b.f707)

that no user-password attribute part is exactly like it appears in the logs, only username is changed there.

whereas when the vpn tries to contact the RADIUS server, I get the following

Mon Jun 14 13:55:42 2010 : Auth: Login incorrect: [username/password] (from client igbvpn port 20)

where the username and password are the actual username and password.  Any suggestions?


Daniel Davidson Tue, 06/15/2010 - 08:14
User Badges:

Now that I do some more digging, it seems like the ASA is not asking

the radius server to perform authentication via eap.  Is there a setting that

does this?


Daniel Davidson Thu, 06/17/2010 - 08:10
User Badges:

As it turns out, my radius machine, freeradius-1.1.5-1, has a problem with cisco authentication via mschap.  I put a newer version of radius on another server and authentication works fine now.



This Discussion