02-22-2012 08:10 AM - edited 03-10-2019 06:50 PM
Hello
I am setting up a test lab with router as eazyvpn client with asa as a vpn server and ACS for radius authentication. If anyone can provide a bit of a feedback explaining why is ASA not able to perform test aaa authentication with ACS? Not sure if i have to have ACL on inside interface to allow udp traffic from ACS server.
Thanks
Network diagram
---ASA(e0/1, 10.1.1.10) -- ACS (10.1.1.30)
ACS has ASA as a client.
The error i am getting when trying to test authentication is:
UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is a ASA config:
ASA Version 8.0(3)
!
hostname IPX-ASA1
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 8.9.2.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.7.7.10 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name .net
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
route inside 192.168.182.0 255.255.255.0 10.1.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RAD protocol radius
aaa-server RAD (inside) host 10.1.1.30
key cisco
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt context hostname domain
Cryptochecksum:2ac9494cc4c126d05c269cddb8effba8
: end
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPX-ASA1# traceroute 10.1.1.30
Type escape sequence to abort.
Tracing the route to 10.1.1.30
1 10.1.1.30 0 msec 0 msec 0 msec
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPX-ASA1# ping 10.1.1.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPX-ASA1# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 8.9.2.10 YES CONFIG up up
Ethernet0/1 10.1.1.10 YES CONFIG up up
Ethernet0/2 10.7.7.10 YES CONFIG up up
Ethernet0/3 unassigned YES unset administratively down down
Management0/0 unassigned YES unset administratively down down
IPX-ASA1#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPX-ASA1# test aaa authentication RAD
Server IP Address or name: 10.1.1.30
Username: sd
Password: **
INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)
radius mkreq: 0xf
alloc_rip 0xd57a16d4
new request 0xf --> 13 (0xd57a16d4)
got user ''
got password
add_req 0xd57a16d4 session 0xf id 13
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 60).....
01 0d 00 3c dd 52 23 20 d9 9e 7f 4c 95 aa 9b 38 | ...<.R# ..L...8
11 76 77 e4 01 04 73 64 02 12 f0 ca 39 05 25 dd | .vw...sd....9.%.
72 68 2e 57 16 d1 e3 33 78 15 04 06 0a 01 01 0a | rh.W...3x.......
05 06 00 00 00 0d 3d 06 00 00 00 05 | ......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 13 (0x0D)
Radius: Length = 60 (0x003C)
Radius: Vector: DD522320D99E7F4C95AA9B38117677E4
Radius: Type = 1 (0x01) User-Name
Radius: Length = 4 (0x04)
Radius: Value (String) =
73 64 | sd
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
f0 ca 39 05 25 dd 72 68 2e 57 16 d1 e3 33 78 15 | ..9.%.rh.W...3x.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xD
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.1.1.30/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xd57a16d4 session 0xf id 13
free_rip 0xd57a16d4
radius: send queue empty
ERROR: Authentication Server not responding: No error
IPX-ASA1/.net# test aaa authentication RAD
Server IP Address or name: 10.1.1.30
Username: sd
Password: **
INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)
radius mkreq: 0x10
alloc_rip 0xd57a16d4
new request 0x10 --> 14 (0xd57a16d4)
got user ''
got password
add_req 0xd57a16d4 session 0x10 id 14
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 60).....
01 0e 00 3c 4d 02 13 50 49 4e 6f 7c 05 5a 8b 68 | ...<M..PINo|.Z.h
81 26 67 14 01 04 73 64 02 12 55 58 fa f2 b1 02 | .&g...sd..UX....
b5 18 df 80 da f0 51 82 4b 2a 04 06 0a 01 01 0a | ......Q.K*......
05 06 00 00 00 0e 3d 06 00 00 00 05 | ......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 14 (0x0E)
Radius: Length = 60 (0x003C)
Radius: Vector: 4D021350494E6F7C055A8B6881266714
Radius: Type = 1 (0x01) User-Name
Radius: Length = 4 (0x04)
Radius: Value (String) =
73 64 | sd
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
55 58 fa f2 b1 02 b5 18 df 80 da f0 51 82 4b 2a | UX..........Q.K*
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.1.1.30/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xd57a16d4 session 0x10 id 14
free_rip 0xd57a16d4
radius: send queue empty
ERROR: Authentication Server not responding: No error
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPX-ASA1/.net#
IPX-ASA1/.net# test aaa authentication RAD
Server IP Address or name: 10.1.1.30
Username: we
Password: **
INFO: Attempting Authentication test to IP address <10.1.1.30> (timeout: 12 seconds)
radius mkreq: 0x11
alloc_rip 0xd57a16d4
new request 0x11 --> 15 (0xd57a16d4)
got user ''
got password
add_req 0xd57a16d4 session 0x11 id 15
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 60).....
01 0f 00 3c bd b2 03 80 b9 fe 5f ac 75 0a 7b 98 | ...<......_.u.{.
f1 d6 57 44 01 04 77 65 02 12 46 51 f1 14 9a bd | ..WD..we..FQ....
5a 51 f3 f1 ba a7 bc 6a ef 34 04 06 0a 01 01 0a | ZQ.....j.4......
05 06 00 00 00 0f 3d 06 00 00 00 05 | ......=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 15 (0x0F)
Radius: Length = 60 (0x003C)
Radius: Vector: BDB20380B9FE5FAC750A7B98F1D65744
Radius: Type = 1 (0x01) User-Name
Radius: Length = 4 (0x04)
Radius: Value (String) =
77 65 | we
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
46 51 f1 14 9a bd 5a 51 f3 f1 ba a7 bc 6a ef 34 | FQ....ZQ.....j.4
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.1.1.10 (0x0A01010A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xF
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.1.1.30/1645
ERROR: Authentication Server not responding: No error
IPX-ASA1/.net# %ASA-5-111008: User 'enable_15' executed the 'test aaa-server authentication RAD' command.
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xd57a16d4 session 0x11 id 15
free_rip 0xd57a16d4
radius: send queue empty
%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137
%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137
%ASA-7-710005: UDP request discarded from 10.1.1.30/137 to inside:10.1.1.255/137
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ACS has ASA as a client
ACS and ASA in the same subnet
can ping devices in both directions (from ACS to ASA and from ASA to ACS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~