?
Solved

Radius Authentication to Server Remote from VPN Endpoint

Posted on 2010-11-15
11
Medium Priority
?
1,018 Views
Last Modified: 2013-11-21
Hi,

I have users who dial-in to an ASA and authenticate via RADIUS to a server at Site A. There is a heavily used site-to-site VPN between site A and Site B. At site B there is another RADIUS server used to authenticate users who dial-in to Site B.

The RADIUS server at site A has gone down so I've added the Site B radius server to the AAA server groups but I'm unable to successfully authenticate across the site-to-site VPN. I've tried adding explicit firewall rules as packet tracer indicates that the failure is due to the implicit ACL but still won't connect.

Any idea how to achieve this?

Thanks.
0
Comment
Question by:TSG_Users
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34193546
What RADIUS is it? Windows IAS?
Can you ping the RADIUS server at site B from ASA command line? Most probably, the interesting traffic does not include the firewall itself.
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 34195202
Hi,

Yes it is IAS and the ACL defines the inside-network/24 to remote-network/24 which includes both the ASA's inside interface address and the remote network entire subnet.

I can't ping the remote server from the ASA, so probably one and the same issue.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 34196809
The workaround is typically to issue the command management-access inside at global config, then most probably ping will work (assuming that icmp inspection is in place). If RADIUS still doesnt work although ping works, upgrae your ios to at least 8.0(4), define the RADIUS in asa as following

aaa-server Namehere (inside) host x.x.x.x (IAS server private IP)

Please double-check your port settings etc (1812,1813)
If still doesnt work, then set reverse route injection for the VPN tunnel at both ends, disconnect/reconnect the tunnel and then try again.

If still no joy, I will suggest a different workaround
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 34230218
Upgrade of the IOS seemed to fix it, thanks.

Will RRI work on networks where you are not using a routing protocol?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34231996
Reverse route injection is primarily designed for VPN tunnels, so no routing protocol will be required. Routes get installed once the tunnel is up
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is about building a site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
Fix RPC Server is unavailable Error in Exchange 2013, 2010, 2007, and 2003 Server. Different reason can such as network connectivity issue, name resolution issue, firewall, registry corruption that lead to RPC Server Unavailable error.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question