Radius Authentication

nelcnetworks · ‎10-16-2013

Hi

I wonder if anyone can help

I have an ASA5505 setup to provide an encrypted tunnel across out internal lan. The outside address is on our internal lan. When I try to connect to it using radius authentication it fails. I can ping the radius server from the ASA using the ping tool in the ASDM.

I am sure it is some sort of access rule but cannot figure it out

ASA ( outside interface 10.25.200.30 connects to switch 10.25.200.1 radius server is 10.40.6.75

as I said I canb ping but when I do the radius test it just times out.

I have run debug and get the following. ( ip addresses are not the actual but have been changed to allow comparison)

ASA5505-GrimCentralLib-01# debug aaa authentication

debug aaa authentication enabled at level 1

ASA5505-GrimCentralLib-01# debug radius all

ASA5505-GrimCentralLib-01# term mon

ASA5505-GrimCentralLib-01# radius mkreq: 0x80000009

alloc_rip 0xca135518

new request 0x80000009 --> 48 (0xca135518)

got user 'brokes'

got password

add_req 0xca135518 session 0x80000009 id 48

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 64).....

01 30 00 40 1b b8 91 f6 f7 64 cd 82 93 d0 c9 ce | .0.@.....d......

ef fc 85 da 01 08 62 72 6f 6b 65 73 02 12 c9 df | ......brokes....

f6 15 93 9a c0 17 ff 71 4f 11 40 90 8a 0e 04 06 | .......qO.@.....

00 00 00 00 05 06 00 00 00 22 3d 06 00 00 00 05 | ........."=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 48 (0x30)

Radius: Length = 64 (0x0040)

Radius: Vector: 1BB891F6F764CD8293D0C9CEEFFC85DA

Radius: Type = 1 (0x01) User-Name

Radius: Length = 8 (0x08)

Radius: Value (String) =

62 72 6f 6b 65 73 | brokes

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

c9 df f6 15 93 9a c0 17 ff 71 4f 11 40 90 8a 0e | .........qO.@...

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 0.0.0.0 (0x00000000)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x22

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

send pkt 10.40.6.75/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xca135518 session 0x80000009 id 48

free_rip 0xca135518

radius: send queue empty

Any help would be appreciated

Steve Brokenshire

Patrick Moubarak · ‎10-16-2013

are you using the correct interface for radius:

aaa-server RAD protocol radius

aaa-server RAD (outside) host 10.40.6.75 Cisco1234

route outside 10.40.6.75 255.255.255.255 next_hop_ip...

On the server, you need to configure the outside IP address of the ASA with the key...

Patrick

nelcnetworks · ‎10-17-2013

Yes I have that all setup and I can ping the radius server from the ASA so routing is working.

The radius logs do not show any failed attempts at authentication and I have setup the device as a client with the correct shared key.

Jatin Katyal · ‎10-17-2013

Have you tried pinging radius server w/ outside as sourced interface

ping outside 10.40.6.75

Is that working? Do we have any other devices that might be blocking radius communication between ASA and radius server?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

nelcnetworks · ‎10-17-2013

when I log onto the ASA using a local username and password and run the asdm. If I use the ping option in tools I can ping the radius server with no problem.

Jatin Katyal · ‎10-17-2013

can you try from CLI in this format please

ping outside 10.40.6.75

do attach the following outputs:

sh run aaa-server

show run tunnel-group

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

nelcnetworks · ‎10-17-2013

have done that it pings successfully

Jatin Katyal · ‎10-17-2013

thanks for performing that. now, I am thinking if traffic even reaching there at radius server for radius authentication port UDP 1645 or 1812. What kind of radius server are you using? can we run the packet capture on the radius server or switch interface where we have radius server connected.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

nelcnetworks · ‎10-17-2013

it is Juniper ( Funk) Steel Belted Radius

I will try to setup a packet capture but might take some time.

Thanks for your help so far anyway

Jatin Katyal · ‎10-20-2013

yeah that would be a right step if you are up for troubleshooting it further. You can also try and reload the radius server to eliminate any problem with the radius server or services.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

sganpat · ‎10-16-2013

What does the RADIUS server say? Does it recieve the request? If the client is not in the RADIUS server's list or if the shared key is wrong, it will not reply.

sganpat · ‎10-17-2013

Is there another firewall between the RADIUS server and the ASA? If so, is it configured to allow the RADIUS traffic through? I know it allows pings, but does it allow RADIUS?

Also, I see the RADIUS packets are being sent to port 1645. Is the RADIUS server configured to use that port as well, or does it only use the new RFC port of 1812. I assume that it does, but check anyway.

If you look at the logs on the ASA and filter for 10.40.6.75 does it tell you anything?

Sachin