OK so this is an experiment.
I have 2 ASA's.
One that terminates my Internet connection at my office.
On this I have setup a RADIUS auth for device access to a server running AD and NPS and this works fine.
The second ASA is at a customers premises and what I am trying to do is to use the RADIUS server on the network at my office to authenticate users accessing the device. Thus if you wanted to login to the ASA at the customers premises you would need to be in the correct AD group on my domain.
So the idea seems clever to me but for implementation I am having some troubles.
So on the office based ASA I have these bits:
access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1812
access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1813
static (inside,outside) tcp interface 1812 172.16.20.1 1812 netmask 255.255.255.255
static (inside,outside) tcp interface 1813 172.16.20.1 1813 netmask 255.255.255.255
access-group OUTSIDE_ACL in interface outside
These ACL commands work OK for other NAPT's that are involved.
And on the customer ASA I have these bits:
aaa-server DeviceAccess protocol radius
aaa-server DeviceAccess (outside) host 86.x.x.234
key xxxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxxx
aaa authentication http console DeviceAccess LOCAL
aaa authentication ssh console DeviceAccess LOCAL
aaa authentication enable console DeviceAccess LOCAL
I can see from the ASDM log that when I ssh to the device it tries to create a RADIUS connection to the office device.
This is the syslog output of an attempt
2 Jan 25 2012 03:58:07 113022 AAA Marking RADIUS server 86.x.x.234 in aaa-server group DeviceAccess as FAILED
Any ideas would be greatly appreciated.
I have 2 ASA's.
One that terminates my Internet connection at my office.
On this I have setup a RADIUS auth for device access to a server running AD and NPS and this works fine.
The second ASA is at a customers premises and what I am trying to do is to use the RADIUS server on the network at my office to authenticate users accessing the device. Thus if you wanted to login to the ASA at the customers premises you would need to be in the correct AD group on my domain.
So the idea seems clever to me but for implementation I am having some troubles.
So on the office based ASA I have these bits:
access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1812
access-list OUTSIDE_ACL extended permit tcp any host 86.x.x.234 eq 1813
static (inside,outside) tcp interface 1812 172.16.20.1 1812 netmask 255.255.255.255
static (inside,outside) tcp interface 1813 172.16.20.1 1813 netmask 255.255.255.255
access-group OUTSIDE_ACL in interface outside
These ACL commands work OK for other NAPT's that are involved.
And on the customer ASA I have these bits:
aaa-server DeviceAccess protocol radius
aaa-server DeviceAccess (outside) host 86.x.x.234
key xxxxx
authentication-port 1812
accounting-port 1813
radius-common-pw xxxxx
aaa authentication http console DeviceAccess LOCAL
aaa authentication ssh console DeviceAccess LOCAL
aaa authentication enable console DeviceAccess LOCAL
I can see from the ASDM log that when I ssh to the device it tries to create a RADIUS connection to the office device.
This is the syslog output of an attempt
2 Jan 25 2012 03:58:07 113022 AAA Marking RADIUS server 86.x.x.234 in aaa-server group DeviceAccess as FAILED
Any ideas would be greatly appreciated.
