Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

A problem when authenticating ASA via Radius

Dear all,

please give me a hand. I have a problem when authenticating across ASA 5520 via Radius to ACS appliance 4.0 via VPN. I need to configure secure authentication and NAC for VPN remote user. It just doesnt work but it works when using Tacacs so all the connection seems to be ok as ACS succesfully authenticate a remote VPN user via MS AD when using Tacacs. But I have read that I cant use NAC when using Tacacs, am I right? Logs on ASA and ACS indicate a problem with shared key but I have already double checked the key on both sides, IP address is the correct one on ASA and I have also tried all possible Radius methods on ASA. Any idea where could be a problem???

1 ACCEPTED SOLUTION

Accepted Solutions

Re: A problem when authenticating ASA via Radius

Hi,

As you are using ACS 4.0, then make sure the AAA Client entry for ASA that you have created on ACS, if under a NDG, then make sure that there is no key on NDG level.

Other way, move ASA client entry as Radius on ACS to (Not Assigned) NDG on ACS.

Regards,

Prem

2 REPLIES

Re: A problem when authenticating ASA via Radius

Hi,

As you are using ACS 4.0, then make sure the AAA Client entry for ASA that you have created on ACS, if under a NDG, then make sure that there is no key on NDG level.

Other way, move ASA client entry as Radius on ACS to (Not Assigned) NDG on ACS.

Regards,

Prem

New Member

Re: A problem when authenticating ASA via Radius

Sir,

thank you very much. Your advice has solved my problem. Even it is quite stupid that I had to remove my ASA device from NDG to Not asssigned ... but it works now :-)

But unfortunately I have another problem now. Authentication works correctly across ASA, ACS and MS AD but in ACS log (I mean Passed attempts) I can see that NAC doesnt work. The authentication just doesnt receive any Posture token so nothing happen even DOT1X posture validation works in normal LAN. I have cross-checked ASA configuration, NAC is enabled there ... I try to use another profile, NAC L3 but it looks that ASA ignores it. ACS log shows me using DOT1X profile or nothing when I turn of DOT1X profile.

Dont you know where could be a problem???

128
Views
0
Helpful
2
Replies
CreatePlease to create content