Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 ASA 5510 radius connection

Hi,

currently I'm evaluating an ACS 5.2.

I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.

My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.

the Firewall-Log shows the established connection (so I think, there is a Handshake!?), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding"

any hints?

Thank You

Everyone's tags (3)
3 REPLIES
Silver

ACS 5.2 ASA 5510 radius connection

Hello Karl,

Are there any errors being logged on the ACS reports when performing the authentication attempt on the ASA? If yes, can you share those logs?

Also, a capture on the appropriate ASA Interface for the RADIUS/ACS traffic might be helpful. Open the capture with Wireshark and confirm that the ASA send the Access-Request and the ACS responds with either an Access-Accept or Access-Reject.

Hope this points you into the right direction.

Regards.

New Member

Re: ACS 5.2 ASA 5510 radius connection

Hi Carlos,

thank you so far.

Now I've mad some further Investigation as you thought:

A Capture on the ASA shows the Radius-Connection as it should: src, dest, username and so on but only 1 Packet with the connection-establishement, no answer.

On the ACS under Monitoring -> Reports -> Catalog -> AAA Protocol -> AAA-Diagnostics I can see 2 Entries about Received RADIUS Access-Request and RADIUS created a new Session with Device-IP-Address of ASA, Device-Port 1025 (SRC-Port) and DestinationPort 1812 and a Session-ID.

So everything should be fine, but I think the Answer doesn't reach the ASA.

does the ACS establish for the Answer an extra Connection? I don't think so.

Could the Problem exist on the VMWare Host?

New Member

Re: ACS 5.2 ASA 5510 radius connection

Now I've got it:

It seems that it was a Timesync Issue. after setting NTP it works.

1272
Views
0
Helpful
3
Replies
CreatePlease login to create content