?
Solved

Authenticate outside RADIUS client to inside RADIUS Server through Cisco ASA 5505

Posted on 2012-04-09
4
Medium Priority
?
1,646 Views
Last Modified: 2012-08-05
I have a proprietary RADIUS client that lives at a customers network.  The client software authenticates local user wireless access requests to a RADIUS server software product that lives on our main inside network behind a Cisco ASA 5505 ver8.2 (5).  I have added the NAT and Firewal Rules to static the inside address of the RADIUS Server as well as allow "any" to the RADIUS Servers ports (1812, 1813).  So the inside radius server has both a static rule to its inside address as well as a public ip firewall rule.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.

I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.

I will be working on a scrubbed config to post.
0
Comment
Question by:mgchar7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37823645
Is the radius server checking for the "Message authenticator field". In IAS there is an option where this option can be enabled or disabled.

If this is enabled, the NAT , during the process of re-writing the original header from the client, might be forcing to alter this value. You could check by disabling the check and trying.

Also what is the IP of the radius server which you have configured on the client (Is it the outside interface IP of ASA or actual IP of the radius server ) ?
0
 

Author Comment

by:mgchar7
ID: 37823830
Not sure on the Message auth field.  Its just a small radius server product that authenticates users to an SQL database via SIP internally.  I will have to check.

The IP of the radius server on the inside is 192.168.1.101.  The NAT'd static is 14.14.14.14 (for illustration only-not the real ip).

Here is the config:

static (inside,outside) udp 14.14.14.14 1812 192.168.1.101 1812 netmask 255.255.255.255
static (inside,outside) udp 14.14.14.14 1813 192.168.1.101 1813 netmask 255.255.255.255
static (inside,outside) tcp 14.14.14.14 1812 192.168.1.101 8880 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 14.14.14.14 eq 8880
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1812
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1813

The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.
0
 
LVL 5

Accepted Solution

by:
andrew1812 earned 2000 total points
ID: 37823929
On the radius client , is the radius server IP address provided as 192.168.1.101 or 14.14.14.14. I presume that you would have provided 14.14.14.14 since a NAT is configured. please correct if my presumption is wrong


The shared radius key , which is configured on the radius server and the client is used to create a hash. So the value of 14.14.14.14 would be used to create the hash which would be causing a mismatch on the radius server.

Check with a protocol analyzer (wireshark) or analyze the logs on the machine ( radius server) and check if you are recieving radius access-request packets on it and whether the server is sending out packets like radius access-challenge or access-reject.
0
 

Author Comment

by:mgchar7
ID: 37824049
The IP is 14.14.14.14

Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?  
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question