Solved

Authenticate outside RADIUS client to inside RADIUS Server through Cisco ASA 5505

Posted on 2012-04-09
4
1,573 Views
Last Modified: 2012-08-05
I have a proprietary RADIUS client that lives at a customers network.  The client software authenticates local user wireless access requests to a RADIUS server software product that lives on our main inside network behind a Cisco ASA 5505 ver8.2 (5).  I have added the NAT and Firewal Rules to static the inside address of the RADIUS Server as well as allow "any" to the RADIUS Servers ports (1812, 1813).  So the inside radius server has both a static rule to its inside address as well as a public ip firewall rule.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.

I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.

I will be working on a scrubbed config to post.
0
Comment
Question by:mgchar7
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37823645
Is the radius server checking for the "Message authenticator field". In IAS there is an option where this option can be enabled or disabled.

If this is enabled, the NAT , during the process of re-writing the original header from the client, might be forcing to alter this value. You could check by disabling the check and trying.

Also what is the IP of the radius server which you have configured on the client (Is it the outside interface IP of ASA or actual IP of the radius server ) ?
0
 

Author Comment

by:mgchar7
ID: 37823830
Not sure on the Message auth field.  Its just a small radius server product that authenticates users to an SQL database via SIP internally.  I will have to check.

The IP of the radius server on the inside is 192.168.1.101.  The NAT'd static is 14.14.14.14 (for illustration only-not the real ip).

Here is the config:

static (inside,outside) udp 14.14.14.14 1812 192.168.1.101 1812 netmask 255.255.255.255
static (inside,outside) udp 14.14.14.14 1813 192.168.1.101 1813 netmask 255.255.255.255
static (inside,outside) tcp 14.14.14.14 1812 192.168.1.101 8880 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 14.14.14.14 eq 8880
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1812
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1813

The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.
0
 
LVL 5

Accepted Solution

by:
andrew1812 earned 500 total points
ID: 37823929
On the radius client , is the radius server IP address provided as 192.168.1.101 or 14.14.14.14. I presume that you would have provided 14.14.14.14 since a NAT is configured. please correct if my presumption is wrong


The shared radius key , which is configured on the radius server and the client is used to create a hash. So the value of 14.14.14.14 would be used to create the hash which would be causing a mismatch on the radius server.

Check with a protocol analyzer (wireshark) or analyze the logs on the machine ( radius server) and check if you are recieving radius access-request packets on it and whether the server is sending out packets like radius access-challenge or access-reject.
0
 

Author Comment

by:mgchar7
ID: 37824049
The IP is 14.14.14.14

Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?  
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
increase internet speed 3 94
Excessive tcp resends from my ASA 7 69
New firewall implementation guidance 12 68
Sonicwall SHA issue 4 30
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question