I just setup a Cisco 1121 Aironet WAP to work with WPA authenticating to a MS
IAS server,(RADIUS). It works fine, clients can authenticate, access internet,
etc.
I moved the access point to the DMZ on PIX 515E and added nat statments and ACL
for dmz to inside.
Now the clients cannot authenticate to the RADIUS server. I am getting an error
message:
4|Jan 04 1993 13:23:11|106023: Deny udp src dmz:192.168.200.2/1645 dst
inside:10.0.4.20/1645 by access-group "DMZ_TO_INSIDE"
This does not make any since, because my ACL opens ports 1645 and 1646 to the
RADIUS server. See below:
access-list DMZ_TO_INSIDE remark Allow ping from DMZ to INSIDE
access-list DMZ_TO_INSIDE extended permit icmp 192.168.200.0 255.255.255.0
192.168.200.0 255.255.255.0
access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host
192.168.200.3 eq radius
access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host
192.168.200.3 eq radius-acct
access-group DMZ_TO_INSIDE in interface dmz
static (dmz,outside) 65.223.51.72 192.168.200.2 netmask 255.255.255.255
static (inside,dmz) 192.168.200.3 10.0.4.20 netmask 255.255.255.255
static (inside,dmz) 192.168.200.4 10.0.4.21 netmask 255.255.255.255
I have been working on this for 4 hours with no progress. I tried opening all
traffic from to-from the dmz and rebuilt the WAP setup, rebuilt the IAS client
entry, etc.
Any help would be greatly appreciated.
Thanks in advance.
Lucky Mace