DMZ won't pass RADIUS traffic to inside

luckymace · ‎11-29-2005

I just setup a Cisco 1121 Aironet WAP to work with WPA authenticating to a MS

IAS server,(RADIUS). It works fine, clients can authenticate, access internet,

etc.

I moved the access point to the DMZ on PIX 515E and added nat statments and ACL

for dmz to inside.

Now the clients cannot authenticate to the RADIUS server. I am getting an error

message:

4|Jan 04 1993 13:23:11|106023: Deny udp src dmz:192.168.200.2/1645 dst

inside:10.0.4.20/1645 by access-group "DMZ_TO_INSIDE"

This does not make any since, because my ACL opens ports 1645 and 1646 to the

RADIUS server. See below:

access-list DMZ_TO_INSIDE remark Allow ping from DMZ to INSIDE

access-list DMZ_TO_INSIDE extended permit icmp 192.168.200.0 255.255.255.0

192.168.200.0 255.255.255.0

access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host

192.168.200.3 eq radius

access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host

192.168.200.3 eq radius-acct

access-group DMZ_TO_INSIDE in interface dmz

static (dmz,outside) 65.223.51.72 192.168.200.2 netmask 255.255.255.255

static (inside,dmz) 192.168.200.3 10.0.4.20 netmask 255.255.255.255

static (inside,dmz) 192.168.200.4 10.0.4.21 netmask 255.255.255.255

I have been working on this for 4 hours with no progress. I tried opening all

traffic from to-from the dmz and rebuilt the WAP setup, rebuilt the IAS client

entry, etc.

Any help would be greatly appreciated.

Thanks in advance.

Lucky Mace

rsmith · ‎11-30-2005

It looks like your WAP is still trying to access the Radius server by its physical address, not the translated address in the DMZ. Look into that config, and change the Radius server to 192.168.200.3, it should work then.