Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA issue - Radius

Version... 

Cisco Adaptive Security Appliance Software Version 8.4(1)

Device Manager Version 6.4(1)

We have an ASA 5505 on all our sites.  The ASA is connected to a secondary ISP for redundancy.  It has an IPSec VPN connection back to HQ. 

Issue:  We have TACACS and FreeRADIUS implemented on a server back at HQ. I will add in a rule to the INSIDE interface that allows tacacs and radius respectively.  When I test my tacacs authentication, its successful.  When I go to test my radius, it fails.  Both services are on the same server.  I have moved the radius ACL up to the top of the ACL list, still not working.  I have added a rule in my crypto map, still not working.  Packet tracer just says an implicit rule is denying but it wont say which one.  I'm at a loss.  It seems it has to do with UDP protocol for radius because Tacacs works fine.  I have added rules all over the place and it has been denied. 

aaa-server radius protocol radius
aaa-server radius (inside) host 192.168.50.X SECRET
authentication-port 1812
accounting-port 1813
aaa-server tacacs protocol tacacs+
aaa-server tacacs (inside) host 192.168.50.X SECRET

access-list inside extended permit tcp 10.2.X.0 255.255.255.0 host 192.168.50.X eq tacacs

access-list inside extended permit udp 10.2.X.0 255.255.255.0 host 192.168.50.X range radius radius-account

1 REPLY
Cisco Employee

ASA issue - Radius

Steve,

The actual problem you're hitting is this one:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl25826

NOW... you might be lucky if you upgrade your ASA to something containing fix to:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty03086

and

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

However I will not make any guarantees.

Open up a TAC case if you want to have troubleshooting assistance.

M.

122
Views
0
Helpful
1
Replies
CreatePlease to create content