Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA cut through proxy with RADIUS challenge response?

Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)

Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...

It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?

What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)

Date: 15/11/2010
Time: 3:53:57 PM
Type: Information
Source: Server
Category: RADIUS
Code: I-006001
Description: A RADIUS Access-Request has been received.
AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
Details:
Source Location : 10.xx.21.24
Client Location : 10.xx.21.230:1025
Request ID : 31
Password Protocol : PAP
Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
Action : Process

What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)

Date: 17/11/2010
Time: 2:29:31 PM
Type: Warning
Source: Server
Category: RADIUS
Code: W-006001
Description: An invalid RADIUS packet has been received.
AMID: 0xC19D988F83365F20151C3F6339DEC74B
Details:
Source Location : 10.xx.21.24:1812 (Authentication)
Client Location : 10.xx.21.230:1025
Reason : The sub-protocol of the received RADIUS packet cannot be determined
Request ID : 33
Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
Request Type : Access-Request

Thanks in advance

IB

1 REPLY
Cisco Employee

Re: ASA cut through proxy with RADIUS challenge response?

Hi Ian,

sorry for the late reaction - do you still need help with this?

The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2

So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:

aaa-server () host
no mschapv2-capable

Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.

Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).

hth

Herbert

1393
Views
0
Helpful
1
Replies
CreatePlease to create content