Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
0
Helpful
3
Replies

ACS 5.2 ASA 5510 radius connection

gaigl
Level 3
Level 3

‎01-18-2012 05:23 AM - edited ‎03-10-2019 06:44 PM

Hi,

currently I'm evaluating an ACS 5.2.

I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.

My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.

the Firewall-Log shows the established connection (so I think, there is a Handshake!?), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding"

any hints?

Thank You

Labels:
0 Helpful
3 Replies 3

camejia
Level 3
Level 3

‎01-18-2012 08:46 AM

Hello Karl,

Are there any errors being logged on the ACS reports when performing the authentication attempt on the ASA? If yes, can you share those logs?

Also, a capture on the appropriate ASA Interface for the RADIUS/ACS traffic might be helpful. Open the capture with Wireshark and confirm that the ASA send the Access-Request and the ACS responds with either an Access-Accept or Access-Reject.

Hope this points you into the right direction.

Regards.

0 Helpful

gaigl
Level 3
Level 3
In response to camejia

‎01-19-2012 03:10 AM

Hi Carlos,

thank you so far.

Now I've mad some further Investigation as you thought:

A Capture on the ASA shows the Radius-Connection as it should: src, dest, username and so on but only 1 Packet with the connection-establishement, no answer.

On the ACS under Monitoring -> Reports -> Catalog -> AAA Protocol -> AAA-Diagnostics I can see 2 Entries about Received RADIUS Access-Request and RADIUS created a new Session with Device-IP-Address of ASA, Device-Port 1025 (SRC-Port) and DestinationPort 1812 and a Session-ID.

So everything should be fine, but I think the Answer doesn't reach the ASA.

does the ACS establish for the Answer an extra Connection? I don't think so.

Could the Problem exist on the VMWare Host?

0 Helpful

gaigl
Level 3
Level 3
In response to gaigl

‎01-19-2012 04:51 AM

Now I've got it:

It seems that it was a Timesync Issue. after setting NTP it works.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents