Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Radius over Sito-to-Site VPN

Hello everybody,

I have a Sito-to-Site VPN between two ASA 5540 outside interfaces.

I'm trying to configure ssh radius authentication on one of them but the Radius server is located behind the other ASA.

When I try to connect to this ASA outside interface using my radius credentials, the communication to the radius server goes in timeout.

It seems that the ASA doesn't use the crypto map to route the request to the Radius server.

Can anyone help me.

This is the radius config on the ASA:

aaa-server RADIUS protocol radius

accounting-mode simultaneous

max-failed-attempts 5

aaa-server RADIUS (outside) host radius01

key *****

aaa authentication ssh console RADIUS LOCAL

Thanks,

Paolo

Everyone's tags (1)
5 REPLIES
Cisco Employee

Radius over Sito-to-Site VPN

Since you would like your radius authentication to go over the VPN tunnel, then you would need to specify the inside interface, instead of outside interface. That would source the radius request from the inside interface which I believe the subnet should be part of the crypto ACL. Otherwise, if it's not part of the crypto ACL, you can add that subnet so it goes over the vpn tunnel.

aaa-server RADIUS (inside) host radius01

New Member

Radius over Sito-to-Site VPN

I have the same problem, and i tried to put inside interface instead outside but still asa wont to connect to RADIUS.

Cisco Employee

Radius over Sito-to-Site VPN

Are you able to ping the radius server sourcing inside interface?

ping inside radius-ip-address

Please provide the debugs from the ASA

debug radius

debug aaa authen

run the test command:

test aaa authentication RADIUS host radius-server-ip

username:xxxxx

password:xxxxx

Are you seeing any hits on the radius side?

Jatin Katyal
- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Radius over Sito-to-Site VPN

No i cannot ping from inside Interface Ip of my RADIUS

and this is the debug while testing

FMFB-KGT# radius mkreq: 0x17e

alloc_rip 0xd8d2bc08

    new request 0x17e --> 20 (0xd8d2bc08)

got user 'badriddin.g'

got password

add_req 0xd8d2bc08 session 0x17e id 20

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 69).....

01 14 00 45 46 07 34 5d d2 a3 a0 59 1e ff cc 15    |  ...EF.4]...Y....

2a 1b b8 91 01 0d 62 61 64 72 69 64 64 69 6e 2e    |  *.....badriddin.

67 02 12 a4 01 06 8e ab df 27 4a 51 9e dc 16 2d    |  g........'JQ...-

24 27 e3 04 06 c0 a8 06 65 05 06 00 00 00 0b 3d    |  $'......e......=

06 00 00 00 05                                     |  .....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 20 (0x14)

Radius: Length = 69 (0x0045)

Radius: Vector: 4607345DD2A3A0591EFFCC152A1BB891

Radius: Type = 1 (0x01) User-Name

Radius: Length = 13 (0x0D)

Radius: Value (String) =

62 61 64 72 69 64 64 69 6e 2e 67                   |  badriddin.g

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

a4 01 06 8e ab df 27 4a 51 9e dc 16 2d 24 27 e3    |  ......'JQ...-$'.

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.6.101 (0xC0A80665)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt pdcsrv/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd8d2bc08 session 0x17e id 20

free_rip 0xd8d2bc08

radius: send queue empty

How to make it accessible to ping the remote side through crypto tunel?

New Member

Radius over Sito-to-Site VPN

Try this:

management-access inside

This fixed the problem for me.

2970
Views
10
Helpful
5
Replies
CreatePlease to create content