Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
1
Replies

ASA issue - Radius

Steve Neff
Level 1
Level 1

‎10-31-2013 08:39 AM - edited ‎03-11-2019 07:58 PM

Version... 

Cisco Adaptive Security Appliance Software Version 8.4(1)

Device Manager Version 6.4(1)

We have an ASA 5505 on all our sites.  The ASA is connected to a secondary ISP for redundancy.  It has an IPSec VPN connection back to HQ. 

Issue:  We have TACACS and FreeRADIUS implemented on a server back at HQ. I will add in a rule to the INSIDE interface that allows tacacs and radius respectively.  When I test my tacacs authentication, its successful.  When I go to test my radius, it fails.  Both services are on the same server.  I have moved the radius ACL up to the top of the ACL list, still not working.  I have added a rule in my crypto map, still not working.  Packet tracer just says an implicit rule is denying but it wont say which one.  I'm at a loss.  It seems it has to do with UDP protocol for radius because Tacacs works fine.  I have added rules all over the place and it has been denied. 

aaa-server radius protocol radius
aaa-server radius (inside) host 192.168.50.X SECRET
authentication-port 1812
accounting-port 1813
aaa-server tacacs protocol tacacs+
aaa-server tacacs (inside) host 192.168.50.X SECRET

access-list inside extended permit tcp 10.2.X.0 255.255.255.0 host 192.168.50.X eq tacacs

access-list inside extended permit udp 10.2.X.0 255.255.255.0 host 192.168.50.X range radius radius-account

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-31-2013 09:45 AM

Steve,

The actual problem you're hitting is this one:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl25826

NOW... you might be lucky if you upgrade your ASA to something containing fix to:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty03086

and

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

However I will not make any guarantees.

Open up a TAC case if you want to have troubleshooting assistance.

M.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card