cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7155
Views
10
Helpful
6
Replies

Radius over Sito-to-Site VPN

p.caforio
Level 1
Level 1

Hello everybody,

I have a Sito-to-Site VPN between two ASA 5540 outside interfaces.

I'm trying to configure ssh radius authentication on one of them but the Radius server is located behind the other ASA.

When I try to connect to this ASA outside interface using my radius credentials, the communication to the radius server goes in timeout.

It seems that the ASA doesn't use the crypto map to route the request to the Radius server.

Can anyone help me.

This is the radius config on the ASA:

aaa-server RADIUS protocol radius

accounting-mode simultaneous

max-failed-attempts 5

aaa-server RADIUS (outside) host radius01

key *****

aaa authentication ssh console RADIUS LOCAL

Thanks,

Paolo

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Since you would like your radius authentication to go over the VPN tunnel, then you would need to specify the inside interface, instead of outside interface. That would source the radius request from the inside interface which I believe the subnet should be part of the crypto ACL. Otherwise, if it's not part of the crypto ACL, you can add that subnet so it goes over the vpn tunnel.

aaa-server RADIUS (inside) host radius01

I have the same problem, and i tried to put inside interface instead outside but still asa wont to connect to RADIUS.

Are you able to ping the radius server sourcing inside interface?

ping inside radius-ip-address

Please provide the debugs from the ASA

debug radius

debug aaa authen

run the test command:

test aaa authentication RADIUS host radius-server-ip

username:xxxxx

password:xxxxx

Are you seeing any hits on the radius side?

Jatin Katyal
- Do rate helpful posts -

~Jatin

No i cannot ping from inside Interface Ip of my RADIUS

and this is the debug while testing

FMFB-KGT# radius mkreq: 0x17e

alloc_rip 0xd8d2bc08

    new request 0x17e --> 20 (0xd8d2bc08)

got user 'badriddin.g'

got password

add_req 0xd8d2bc08 session 0x17e id 20

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 69).....

01 14 00 45 46 07 34 5d d2 a3 a0 59 1e ff cc 15    |  ...EF.4]...Y....

2a 1b b8 91 01 0d 62 61 64 72 69 64 64 69 6e 2e    |  *.....badriddin.

67 02 12 a4 01 06 8e ab df 27 4a 51 9e dc 16 2d    |  g........'JQ...-

24 27 e3 04 06 c0 a8 06 65 05 06 00 00 00 0b 3d    |  $'......e......=

06 00 00 00 05                                     |  .....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 20 (0x14)

Radius: Length = 69 (0x0045)

Radius: Vector: 4607345DD2A3A0591EFFCC152A1BB891

Radius: Type = 1 (0x01) User-Name

Radius: Length = 13 (0x0D)

Radius: Value (String) =

62 61 64 72 69 64 64 69 6e 2e 67                   |  badriddin.g

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

a4 01 06 8e ab df 27 4a 51 9e dc 16 2d 24 27 e3    |  ......'JQ...-$'.

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.6.101 (0xC0A80665)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt pdcsrv/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd8d2bc08 session 0x17e id 20

free_rip 0xd8d2bc08

radius: send queue empty

How to make it accessible to ping the remote side through crypto tunel?

Try this:

management-access inside

This fixed the problem for me.

Super Bright Pictures for Big Thank You

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: