Who Me Too'd this topic

Hello

I am setting up a test lab with router as eazyvpn client with asa as a vpn server and ACS for radius authentication. If anyone can provide a bit of a feedback explaining why is ASA not able to perform test aaa authentication with ACS? Not sure if i have to have ACL on inside interface to allow udp traffic from ACS server.

Thanks

Network diagram

---ASA(e0/1, 10.1.1.10) -- ACS (10.1.1.30)

ACS has ASA as a client.

The error i am getting when trying to test authentication is:

UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is a ASA config:

ASA Version 8.0(3)

!

hostname IPX-ASA1

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 8.9.2.10 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.10 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.7.7.10 255.255.255.0

!

interface Ethernet0/3

shutdown   

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name .net

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

route inside 192.168.182.0 255.255.255.0 10.1.1.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server RAD protocol radius

aaa-server RAD (inside) host 10.1.1.30

key cisco

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!           

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt context hostname domain

Cryptochecksum:2ac9494cc4c126d05c269cddb8effba8

: end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPX-ASA1# traceroute 10.1.1.30

Type escape sequence to abort.

Tracing the route to 10.1.1.30

1  10.1.1.30 0 msec 0 msec 0 msec

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPX-ASA1# ping 10.1.1.30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.30, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPX-ASA1# sh int ip br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                8.9.2.10        YES CONFIG up                    up

Ethernet0/1                10.1.1.10       YES CONFIG up                    up

Ethernet0/2                10.7.7.10       YES CONFIG up                    up

Ethernet0/3                unassigned      YES unset  administratively down down

Management0/0              unassigned      YES unset  administratively down down

IPX-ASA1#

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPX-ASA1# test aaa authentication RAD

Server IP Address or name: 10.1.1.30

Username: sd

Password: **

INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)

radius mkreq: 0xf

alloc_rip 0xd57a16d4

    new request 0xf --> 13 (0xd57a16d4)

got user ''

got password

add_req 0xd57a16d4 session 0xf id 13

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 60).....

01 0d 00 3c dd 52 23 20 d9 9e 7f 4c 95 aa 9b 38    |  ...<.R# ..L...8

11 76 77 e4 01 04 73 64 02 12 f0 ca 39 05 25 dd    |  .vw...sd....9.%.

72 68 2e 57 16 d1 e3 33 78 15 04 06 0a 01 01 0a    |  rh.W...3x.......

05 06 00 00 00 0d 3d 06 00 00 00 05                |  ......=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 13 (0x0D)

Radius: Length = 60 (0x003C)

Radius: Vector: DD522320D99E7F4C95AA9B38117677E4

Radius: Type = 1 (0x01) User-Name

Radius: Length = 4 (0x04)

Radius: Value (String) =

73 64                                              |  sd

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

f0 ca 39 05 25 dd 72 68 2e 57 16 d1 e3 33 78 15    |  ..9.%.rh.W...3x.

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xD

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 10.1.1.30/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd57a16d4 session 0xf id 13

free_rip 0xd57a16d4

radius: send queue empty

ERROR: Authentication Server not responding: No error

IPX-ASA1/.net# test aaa authentication RAD

Server IP Address or name: 10.1.1.30

Username: sd

Password: **

INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)

radius mkreq: 0x10

alloc_rip 0xd57a16d4

    new request 0x10 --> 14 (0xd57a16d4)

got user ''

got password

add_req 0xd57a16d4 session 0x10 id 14

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 60).....

01 0e 00 3c 4d 02 13 50 49 4e 6f 7c 05 5a 8b 68    |  ...<M..PINo|.Z.h

81 26 67 14 01 04 73 64 02 12 55 58 fa f2 b1 02    |  .&g...sd..UX....

b5 18 df 80 da f0 51 82 4b 2a 04 06 0a 01 01 0a    |  ......Q.K*......

05 06 00 00 00 0e 3d 06 00 00 00 05                |  ......=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 14 (0x0E)

Radius: Length = 60 (0x003C)

Radius: Vector: 4D021350494E6F7C055A8B6881266714

Radius: Type = 1 (0x01) User-Name

Radius: Length = 4 (0x04)

Radius: Value (String) =

73 64                                              |  sd

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

55 58 fa f2 b1 02 b5 18 df 80 da f0 51 82 4b 2a    |  UX..........Q.K*

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xE

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 10.1.1.30/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd57a16d4 session 0x10 id 14

free_rip 0xd57a16d4

radius: send queue empty

ERROR: Authentication Server not responding: No error

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPX-ASA1/.net#

IPX-ASA1/.net# test aaa authentication RAD

Server IP Address or name: 10.1.1.30

Username: we

Password: **

INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)

radius mkreq: 0x11

alloc_rip 0xd57a16d4

    new request 0x11 --> 15 (0xd57a16d4)

got user ''

got password

add_req 0xd57a16d4 session 0x11 id 15

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 60).....

01 0f 00 3c bd b2 03 80 b9 fe 5f ac 75 0a 7b 98    |  ...<......_.u.{.

f1 d6 57 44 01 04 77 65 02 12 46 51 f1 14 9a bd    |  ..WD..we..FQ....

5a 51 f3 f1 ba a7 bc 6a ef 34 04 06 0a 01 01 0a    |  ZQ.....j.4......

05 06 00 00 00 0f 3d 06 00 00 00 05                |  ......=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 15 (0x0F)

Radius: Length = 60 (0x003C)

Radius: Vector: BDB20380B9FE5FAC750A7B98F1D65744

Radius: Type = 1 (0x01) User-Name

Radius: Length = 4 (0x04)

Radius: Value (String) =

77 65                                              |  we

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

46 51 f1 14 9a bd 5a 51 f3 f1 ba a7 bc 6a ef 34    |  FQ....ZQ.....j.4

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xF

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 10.1.1.30/1645

ERROR: Authentication Server not responding: No error

IPX-ASA1/.net# %ASA-5-111008: User 'enable_15' executed the 'test aaa-server authentication RAD' command.

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xd57a16d4 session 0x11 id 15

free_rip 0xd57a16d4

radius: send queue empty

%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137

%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137

%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ACS has ASA as a client

ACS and ASA in the same subnet

can ping devices in both directions (from ACS to ASA and from ASA to ACS)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~