Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4320
Views
0
Helpful
4
Replies

RSA Radius to Cisco ASA 8.0 Authentication Fail.

wong.jason
Level 1
Level 1

‎01-28-2008 07:31 AM - edited ‎03-10-2019 03:37 PM

I'm configuring a ASA to authenticate against the RSA using it's build in Radius server.

I'm testing using

"test aaa-server authentication RSA-Radius host 172.18.248.223 username testcisco password test1234123456"

I assumed password "test1234123456" consists of RSA's password (test) + pin-code (1234) + RSA Token (123456) but I'm not sure since this isn't stated anyway in the documents that I could find.

and it's always telling me authentication failure but I've tested the same account using another server (using SDI and not Radius) and the account is working fine. I've double-checked the radius shared secret and that's correct.

Is there any log files or trace files on the AuthMan that I can use to see what's wrong ? The ASA's config is simple enough.

"aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host 10.1.1.1

key abc123

authentication-port 1812

accounting-port 1813"

Thanks.

Labels:
0 Helpful
4 Replies 4

cisco24x7
Level 6
Level 6

‎01-28-2008 08:13 AM

1- What version of RSA SecurID are you

using? version 5.2 or 6.1?

2- because you're using native RSA radius

Server, you need to fine the agent host of

the ASA a little differently, not the same

you define an agent hosts using SDI.

3- Use the RSA Server "log monitor" option and

you can see in the log as to why it failed.

It will tell you why such as syntax error

or "agent host not found", etc...

4- Open a case with RSA and they can

help you. Seem like a very simple problem.

By the way, my works fine between the my Pix

firewall and the RSA radius server. See below:

CiscoPix# test aaa-server authen TEST username test1 password 1234testme

Server IP Address or name: 192.168.1.2

INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 10 seconds)

INFO: Authentication Successful

CiscoPix#

0 Helpful

wong.jason
Level 1
Level 1
In response to cisco24x7

‎01-28-2008 08:22 AM

1. I'm using AuthMan 6.1 .

2. Could you give a example ? I'm assuming a standard Radius config on the ASA.

aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host 10.1.1.1

key abc123

authentication-port 1812

accounting-port 1813

3. I'll try this tomorrow.

Thanks.

0 Helpful

cisco24x7
Level 6
Level 6
In response to wong.jason

‎01-28-2008 08:28 AM

ok.. here is how:

1- on the RSA server, define an agent host

with the IP address of the RSA server itself.

Allow all users for testing purposes

2- On the secondary notes, put it your ASA

ip address as the secondary notes,

3- test.

Your ASA configuration looks fine. If you

need additional help, send me a private email

and I can help you with it.

CCIE Security

0 Helpful

wong.jason
Level 1
Level 1
In response to cisco24x7

‎01-28-2008 08:39 AM

Thanks. There don't seems to be a option to view your email address. Maybe it's not published. Mine is in the profile. Please drop me a email. Would like to bounce some Qs off you. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents