Authenticate outside RADIUS client to inside RADIUS Server through Cisco ASA 5505
I have a proprietary RADIUS client that lives at a customers network. The client software authenticates local user wireless access requests to a RADIUS server software product that lives on our main inside network behind a Cisco ASA 5505 ver8.2 (5). I have added the NAT and Firewal Rules to static the inside address of the RADIUS Server as well as allow "any" to the RADIUS Servers ports (1812, 1813). So the inside radius server has both a static rule to its inside address as well as a public ip firewall rule.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.
I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.
I will be working on a scrubbed config to post.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.
I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.
I will be working on a scrubbed config to post.
ASKER
Not sure on the Message auth field. Its just a small radius server product that authenticates users to an SQL database via SIP internally. I will have to check.
The IP of the radius server on the inside is 192.168.1.101. The NAT'd static is 14.14.14.14 (for illustration only-not the real ip).
Here is the config:
static (inside,outside) udp 14.14.14.14 1812 192.168.1.101 1812 netmask 255.255.255.255
static (inside,outside) udp 14.14.14.14 1813 192.168.1.101 1813 netmask 255.255.255.255
static (inside,outside) tcp 14.14.14.14 1812 192.168.1.101 8880 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 14.14.14.14 eq 8880
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1812
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1813
The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.
The IP of the radius server on the inside is 192.168.1.101. The NAT'd static is 14.14.14.14 (for illustration only-not the real ip).
Here is the config:
static (inside,outside) udp 14.14.14.14 1812 192.168.1.101 1812 netmask 255.255.255.255
static (inside,outside) udp 14.14.14.14 1813 192.168.1.101 1813 netmask 255.255.255.255
static (inside,outside) tcp 14.14.14.14 1812 192.168.1.101 8880 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 14.14.14.14 eq 8880
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1812
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1813
The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The IP is 14.14.14.14
Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.
Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.
If this is enabled, the NAT , during the process of re-writing the original header from the client, might be forcing to alter this value. You could check by disabling the check and trying.
Also what is the IP of the radius server which you have configured on the client (Is it the outside interface IP of ASA or actual IP of the radius server ) ?