06-10-2010 02:25 PM
I have a fully functional radius server that we use for authenticating with our wireless networks. That all works properly, so there are no issues with the server.
However now that I am trying to set up our ASA 5510 to authenticate witht the server, I keep getting the wollowing error:
ciscoasa# test aaa-server authentication IGBRADIUS host XXX.YYY.ZZZ.QQQ username XXXX password XXXX
INFO: Attempting Authentication test to IP address <XXX.YYY.ZZZ.QQQ> (timeout: 10 seconds)
ERROR: Authentication Server not responding: No error
The only curveball that I can see that I might be throwing on this is that the server will be on the public side of the VPN instead of the private as is shown in most of the howtos.
interface Ethernet0/0
nameif igbpublic
security-level 0
ip address interface_IP 255.255.252.0
!
interface Ethernet0/1
nameif igbprivate
security-level 50
ip address interface_IP 255.255.255.0
!
aaa-server IGBRADIUS (igbpublic) host 128.174.124.54
timeout 5
key igbvpnkey
Do you have to have the radius server on the internal network, or can you get away with having it on a public interface? Outside of the NAT interface, the only access list that I have is:
access-list 101 extended permit ip private-ip-start 255.255.255.0 vpn-pool-start 255.255.255.0
thanks,
Dan
06-10-2010 02:30 PM
Hi Daniel,
You should be able to authenticate against an ''outside'' RADIUS.
There are some debugs that can help see what's going on:
i.e
debug aaa authentication
debug radius all
Federico.
06-10-2010 02:55 PM
Thanks for the info turns out cisco is using 1645/6 as the radius port, and I need to set it to be 1812/1813.
Anyone know where to do that?
Dan
06-10-2010 02:59 PM
Yes,
Under the aaa-server IGBRADIUS (igbpublic) host 128.174.124.54 you specify the ports.
Federico.
06-14-2010 12:04 PM
Thank you for everyone's help to this point. The vpn is contacting the radius server now, but it seems that the username/password fields are different than what the server is expecting, causing all authentication attempts to fail.
On our wireless, a standard radius authentication gives a line like:
Mon Jun 14 13:55:49 2010 : Auth: Login OK: [usera/
that no user-password attribute part is exactly like it appears in the logs, only username is changed there.
whereas when the vpn tries to contact the RADIUS server, I get the following
Mon Jun 14 13:55:42 2010 : Auth: Login incorrect: [username/password] (from client igbvpn port 20)
where the username and password are the actual username and password. Any suggestions?
Dan
06-15-2010 08:14 AM
Now that I do some more digging, it seems like the ASA is not asking
the radius server to perform authentication via eap. Is there a setting that
does this?
Dan
06-17-2010 08:10 AM
As it turns out, my radius machine, freeradius-1.1.5-1, has a problem with cisco authentication via mschap. I put a newer version of radius on another server and authentication works fine now.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide