Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RSA Radius to Cisco ASA 8.0 Authentication Fail.

I'm configuring a ASA to authenticate against the RSA using it's build in Radius server.

I'm testing using

"test aaa-server authentication RSA-Radius host 172.18.248.223 username testcisco password test1234123456"

I assumed password "test1234123456" consists of RSA's password (test) + pin-code (1234) + RSA Token (123456) but I'm not sure since this isn't stated anyway in the documents that I could find.

and it's always telling me authentication failure but I've tested the same account using another server (using SDI and not Radius) and the account is working fine. I've double-checked the radius shared secret and that's correct.

Is there any log files or trace files on the AuthMan that I can use to see what's wrong ? The ASA's config is simple enough.

"aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host 10.1.1.1

key abc123

authentication-port 1812

accounting-port 1813"

Thanks.

4 REPLIES
Silver

Re: RSA Radius to Cisco ASA 8.0 Authentication Fail.

1- What version of RSA SecurID are you

using? version 5.2 or 6.1?

2- because you're using native RSA radius

Server, you need to fine the agent host of

the ASA a little differently, not the same

you define an agent hosts using SDI.

3- Use the RSA Server "log monitor" option and

you can see in the log as to why it failed.

It will tell you why such as syntax error

or "agent host not found", etc...

4- Open a case with RSA and they can

help you. Seem like a very simple problem.

By the way, my works fine between the my Pix

firewall and the RSA radius server. See below:

CiscoPix# test aaa-server authen TEST username test1 password 1234testme

Server IP Address or name: 192.168.1.2

INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 10 seconds)

INFO: Authentication Successful

CiscoPix#

New Member

Re: RSA Radius to Cisco ASA 8.0 Authentication Fail.

1. I'm using AuthMan 6.1 .

2. Could you give a example ? I'm assuming a standard Radius config on the ASA.

aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host 10.1.1.1

key abc123

authentication-port 1812

accounting-port 1813

3. I'll try this tomorrow.

Thanks.

Silver

Re: RSA Radius to Cisco ASA 8.0 Authentication Fail.

ok.. here is how:

1- on the RSA server, define an agent host

with the IP address of the RSA server itself.

Allow all users for testing purposes

2- On the secondary notes, put it your ASA

ip address as the secondary notes,

3- test.

Your ASA configuration looks fine. If you

need additional help, send me a private email

and I can help you with it.

CCIE Security

New Member

Re: RSA Radius to Cisco ASA 8.0 Authentication Fail.

Thanks. There don't seems to be a option to view your email address. Maybe it's not published. Mine is in the profile. Please drop me a email. Would like to bounce some Qs off you. Thanks.

3291
Views
0
Helpful
4
Replies