Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

radius auth over ipsec

Hello,

I have a problem to setup radius authentication on remote ASA.

Configuration is pretty simple:

home network <-> internet <-> remote office with ASA

between home network an ASA Ipsec tunnel is established

10.10.10.0 is network behind ASA

10.10.20.0 is network with radius server in it

so crypto acl is:

permit ip 10.10.10.0/24 10.10.20.0/24

permit ip 10.10.20.0/24 10.10.10.0/24

which perfectly connects two networks

I want ASA to use radius located in home network for authentication.

So with commands:

aaa-server RADIUS protocol radius

aaa-server EMEARADIUS host radiushost

key mykey

authentication-port 1812

accounting-port 1813

I suppose to achive what is neseccary, however it's not like this.

Radius host is located behind interface outside, so ASA sends radius requests

with source of outside interface and because of this it does not seem as interesting traffic for

ASA and don't get encrypted.

Question: is there a way how to force ASA use IP of inside for this?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: radius auth over ipsec

There is no equivalent of ip radius source-interface in ASA.

What you are observing is correct and you need to have an entery in the crypto ACL like this:

access-list 100 permit ip host host

The same is true for syslog servers sitting across the tunnel.

2 REPLIES
Cisco Employee

Re: radius auth over ipsec

There is no equivalent of ip radius source-interface in ASA.

What you are observing is correct and you need to have an entery in the crypto ACL like this:

access-list 100 permit ip host host

The same is true for syslog servers sitting across the tunnel.

New Member

Re: radius auth over ipsec

I was afraid to receive only this answer, it's configured like this right now. I was hoping there is another way...

2194
Views
0
Helpful
2
Replies
CreatePlease to create content