DMZ won't pass RADIUS traffic to inside

Unanswered Question
Nov 29th, 2005
User Badges:

I just setup a Cisco 1121 Aironet WAP to work with WPA authenticating to a MS

IAS server,(RADIUS). It works fine, clients can authenticate, access internet,


I moved the access point to the DMZ on PIX 515E and added nat statments and ACL

for dmz to inside.

Now the clients cannot authenticate to the RADIUS server. I am getting an error


4|Jan 04 1993 13:23:11|106023: Deny udp src dmz: dst

inside: by access-group "DMZ_TO_INSIDE"

This does not make any since, because my ACL opens ports 1645 and 1646 to the

RADIUS server. See below:

access-list DMZ_TO_INSIDE remark Allow ping from DMZ to INSIDE

access-list DMZ_TO_INSIDE extended permit icmp

access-list DMZ_TO_INSIDE extended permit udp host host eq radius

access-list DMZ_TO_INSIDE extended permit udp host host eq radius-acct

access-group DMZ_TO_INSIDE in interface dmz

static (dmz,outside) netmask

static (inside,dmz) netmask

static (inside,dmz) netmask

I have been working on this for 4 hours with no progress. I tried opening all

traffic from to-from the dmz and rebuilt the WAP setup, rebuilt the IAS client

entry, etc.

Any help would be greatly appreciated.

Thanks in advance.

Lucky Mace

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion