using a PIX for Radius authentication, the RADIUS server is on a DMZ

[bushee]

The following problem relates to having two sites connected using PIX infrastructure. A Primary site and Remote location that use a sudo MPLS IP/VPN service. Therefore the requirement for an extra PIX IP/SEC environment. The clients at the remote site will be required to connect to a switch, but they will be required to be authenticate with a Radius server at the primary service end. This is an interim requirement from our security people, while the office is restructured.

When monitoring a connection, it appears that the RADIUS request is not forwarded via a DMZ interface. The PIX at the remote end does not appear to process the RADIUS request. This can be determined by the DEBUG PACKET from the either primary PIX or the remote PIX, no traffic is generated for the request. The PIX will advise a fail of not able to connect.

Does the RADIUS server have to be located on the 'INSIDE' interface?

A request to a TACACS located on the DMZ will work. For another TACACS server, the information can be seen to be sent with both a key and without a key. This issue would relate to the server.

aaa-server RADIUS protocol radius
aaa-server RADIUS (dmz1) host x.x.x.y shared-key timeout 5
aaa-server RADIUS (dmz1) host x.x.x.z shared-key timeout 5
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication match inside_authentication_RADIUS inside RADIUS
!! For test purposes, if I telnet from the switch to a host
access-list inside_authentication_RADIUS permit tcp host 192.168.242.4 any eq telnet
!! I am prompted for a RADIUS response, but this will fail.