01-28-2008 07:31 AM - edited 03-10-2019 03:37 PM
I'm configuring a ASA to authenticate against the RSA using it's build in Radius server.
I'm testing using
"test aaa-server authentication RSA-Radius host 172.18.248.223 username testcisco password test1234123456"
I assumed password "test1234123456" consists of RSA's password (test) + pin-code (1234) + RSA Token (123456) but I'm not sure since this isn't stated anyway in the documents that I could find.
and it's always telling me authentication failure but I've tested the same account using another server (using SDI and not Radius) and the account is working fine. I've double-checked the radius shared secret and that's correct.
Is there any log files or trace files on the AuthMan that I can use to see what's wrong ? The ASA's config is simple enough.
"aaa-server RSA-Radius protocol radius
aaa-server RSA-Radius host 10.1.1.1
key abc123
authentication-port 1812
accounting-port 1813"
Thanks.
01-28-2008 08:13 AM
1- What version of RSA SecurID are you
using? version 5.2 or 6.1?
2- because you're using native RSA radius
Server, you need to fine the agent host of
the ASA a little differently, not the same
you define an agent hosts using SDI.
3- Use the RSA Server "log monitor" option and
you can see in the log as to why it failed.
It will tell you why such as syntax error
or "agent host not found", etc...
4- Open a case with RSA and they can
help you. Seem like a very simple problem.
By the way, my works fine between the my Pix
firewall and the RSA radius server. See below:
CiscoPix# test aaa-server authen TEST username test1 password 1234testme
Server IP Address or name: 192.168.1.2
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 10 seconds)
INFO: Authentication Successful
CiscoPix#
01-28-2008 08:22 AM
1. I'm using AuthMan 6.1 .
2. Could you give a example ? I'm assuming a standard Radius config on the ASA.
aaa-server RSA-Radius protocol radius
aaa-server RSA-Radius host 10.1.1.1
key abc123
authentication-port 1812
accounting-port 1813
3. I'll try this tomorrow.
Thanks.
01-28-2008 08:28 AM
ok.. here is how:
1- on the RSA server, define an agent host
with the IP address of the RSA server itself.
Allow all users for testing purposes
2- On the secondary notes, put it your ASA
ip address as the secondary notes,
3- test.
Your ASA configuration looks fine. If you
need additional help, send me a private email
and I can help you with it.
CCIE Security
01-28-2008 08:39 AM
Thanks. There don't seems to be a option to view your email address. Maybe it's not published. Mine is in the profile. Please drop me a email. Would like to bounce some Qs off you. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: