Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Radius Authenticated Access

Status
Not open for further replies.

kevmullet

Technical User
Feb 12, 2002
56
GB
OK so this is an experiment.

I have 2 ASA's.
One that terminates my Internet connection at my office.
On this I have setup a RADIUS auth for device access to a server running AD and NPS and this works fine.

The second ASA is at a customers premises and what I am trying to do is to use the RADIUS server on the network at my office to authenticate users accessing the device. Thus if you wanted to login to the ASA at the customers premises you would need to be in the correct AD group on my domain.

So the idea seems clever to me but for implementation I am having some troubles.

So on the office based ASA I have these bits:

access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1812
access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1813
static (inside,outside) tcp interface 1812 172.16.20.1 1812 netmask 255.255.255.255
static (inside,outside) tcp interface 1813 172.16.20.1 1813 netmask 255.255.255.255
access-group OUTSIDE_ACL in interface outside

These ACL commands work OK for other NAPT's that are involved.

And on the customer ASA I have these bits:

aaa-server DeviceAccess protocol radius
aaa-server DeviceAccess (outside) host 86.x.x.234
key xxxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxxx
aaa authentication http console DeviceAccess LOCAL
aaa authentication ssh console DeviceAccess LOCAL
aaa authentication enable console DeviceAccess LOCAL


I can see from the ASDM log that when I ssh to the device it tries to create a RADIUS connection to the office device.

This is the syslog output of an attempt
2 Jan 25 2012 03:58:07 113022 AAA Marking RADIUS server 86.x.x.234 in aaa-server group DeviceAccess as FAILED

Any ideas would be greatly appreciated.
 
RAIDUS is UDP based, not TCP. try changing the ACEs and static rules to reflect that.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
That sounds like it will do the trick.
I shall try tomorrow and see.
Didnt think of that, make sense though...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top