×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Radius over Sito-to-Site VPN

Unanswered Question
May 31st, 2012
User Badges:

Hello everybody,


I have a Sito-to-Site VPN between two ASA 5540 outside interfaces.

I'm trying to configure ssh radius authentication on one of them but the Radius server is located behind the other ASA.

When I try to connect to this ASA outside interface using my radius credentials, the communication to the radius server goes in timeout.


It seems that the ASA doesn't use the crypto map to route the request to the Radius server.


Can anyone help me.


This is the radius config on the ASA:


aaa-server RADIUS protocol radius

accounting-mode simultaneous

max-failed-attempts 5

aaa-server RADIUS (outside) host radius01

key *****


aaa authentication ssh console RADIUS LOCAL


Thanks,


Paolo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 05/31/2012 - 06:12
User Badges:
  • Cisco Employee,

Since you would like your radius authentication to go over the VPN tunnel, then you would need to specify the inside interface, instead of outside interface. That would source the radius request from the inside interface which I believe the subnet should be part of the crypto ACL. Otherwise, if it's not part of the crypto ACL, you can add that subnet so it goes over the vpn tunnel.


aaa-server RADIUS (inside) host radius01

Badriddin Gulyaev Tue, 06/11/2013 - 06:12
User Badges:

I have the same problem, and i tried to put inside interface instead outside but still asa wont to connect to RADIUS.

Jatin Katyal Tue, 06/11/2013 - 07:17
User Badges:
  • Cisco Employee,

Are you able to ping the radius server sourcing inside interface?

ping inside radius-ip-address


Please provide the debugs from the ASA

debug radius

debug aaa authen


run the test command:

test aaa authentication RADIUS host radius-server-ip

username:xxxxx

password:xxxxx


Are you seeing any hits on the radius side?


Jatin Katyal
- Do rate helpful posts -

Badriddin Gulyaev Wed, 06/12/2013 - 22:40
User Badges:

No i cannot ping from inside Interface Ip of my RADIUS


and this is the debug while testing


FMFB-KGT# radius mkreq: 0x17e

alloc_rip 0xd8d2bc08

    new request 0x17e --> 20 (0xd8d2bc08)

got user 'badriddin.g'

got password

add_req 0xd8d2bc08 session 0x17e id 20

RADIUS_REQUEST

radius.c: rad_mkpkt



RADIUS packet decode (authentication request)



--------------------------------------

Raw packet data (length = 69).....

01 14 00 45 46 07 34 5d d2 a3 a0 59 1e ff cc 15    |  ...EF.4]...Y....

2a 1b b8 91 01 0d 62 61 64 72 69 64 64 69 6e 2e    |  *.....badriddin.

67 02 12 a4 01 06 8e ab df 27 4a 51 9e dc 16 2d    |  g........'JQ...-

24 27 e3 04 06 c0 a8 06 65 05 06 00 00 00 0b 3d    |  $'......e......=

06 00 00 00 05                                     |  .....



Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 20 (0x14)

Radius: Length = 69 (0x0045)

Radius: Vector: 4607345DD2A3A0591EFFCC152A1BB891

Radius: Type = 1 (0x01) User-Name

Radius: Length = 13 (0x0D)

Radius: Value (String) =

62 61 64 72 69 64 64 69 6e 2e 67                   |  badriddin.g

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

a4 01 06 8e ab df 27 4a 51 9e dc 16 2d 24 27 e3    |  ......'JQ...-$'.

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.6.101 (0xC0A80665)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt pdcsrv/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd8d2bc08 session 0x17e id 20

free_rip 0xd8d2bc08

radius: send queue empty


How to make it accessible to ping the remote side through crypto tunel?

a.crusius Mon, 07/29/2013 - 04:56
User Badges:

Try this:



management-access inside


This fixed the problem for me.

Actions

This Discussion

Related Content