I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.
My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.
the Firewall-Log shows the established connection (so I think, there is a Handshake!?), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding"
Are there any errors being logged on the ACS reports when performing the authentication attempt on the ASA? If yes, can you share those logs?
Also, a capture on the appropriate ASA Interface for the RADIUS/ACS traffic might be helpful. Open the capture with Wireshark and confirm that the ASA send the Access-Request and the ACS responds with either an Access-Accept or Access-Reject.
Now I've mad some further Investigation as you thought:
A Capture on the ASA shows the Radius-Connection as it should: src, dest, username and so on but only 1 Packet with the connection-establishement, no answer.
On the ACS under Monitoring -> Reports -> Catalog -> AAA Protocol -> AAA-Diagnostics I can see 2 Entries about Received RADIUS Access-Request and RADIUS created a new Session with Device-IP-Address of ASA, Device-Port 1025 (SRC-Port) and DestinationPort 1812 and a Session-ID.
So everything should be fine, but I think the Answer doesn't reach the ASA.
does the ACS establish for the Answer an extra Connection? I don't think so.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :