Authenticate outside RADIUS client to inside RADIUS Server through Cisco ASA 5505

Posted on 2012-04-09
Medium Priority
Last Modified: 2012-08-05
I have a proprietary RADIUS client that lives at a customers network.  The client software authenticates local user wireless access requests to a RADIUS server software product that lives on our main inside network behind a Cisco ASA 5505 ver8.2 (5).  I have added the NAT and Firewal Rules to static the inside address of the RADIUS Server as well as allow "any" to the RADIUS Servers ports (1812, 1813).  So the inside radius server has both a static rule to its inside address as well as a public ip firewall rule.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.

I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.

I will be working on a scrubbed config to post.
Question by:mgchar7
  • 2
  • 2

Expert Comment

ID: 37823645
Is the radius server checking for the "Message authenticator field". In IAS there is an option where this option can be enabled or disabled.

If this is enabled, the NAT , during the process of re-writing the original header from the client, might be forcing to alter this value. You could check by disabling the check and trying.

Also what is the IP of the radius server which you have configured on the client (Is it the outside interface IP of ASA or actual IP of the radius server ) ?

Author Comment

ID: 37823830
Not sure on the Message auth field.  Its just a small radius server product that authenticates users to an SQL database via SIP internally.  I will have to check.

The IP of the radius server on the inside is  The NAT'd static is (for illustration only-not the real ip).

Here is the config:

static (inside,outside) udp 1812 1812 netmask
static (inside,outside) udp 1813 1813 netmask
static (inside,outside) tcp 1812 8880 netmask

access-list outside_access_in extended permit tcp any host eq 8880
access-list outside_access_in extended permit udp any host eq 1812
access-list outside_access_in extended permit udp any host eq 1813

The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.

Accepted Solution

andrew1812 earned 2000 total points
ID: 37823929
On the radius client , is the radius server IP address provided as or I presume that you would have provided since a NAT is configured. please correct if my presumption is wrong

The shared radius key , which is configured on the radius server and the client is used to create a hash. So the value of would be used to create the hash which would be causing a mismatch on the radius server.

Check with a protocol analyzer (wireshark) or analyze the logs on the machine ( radius server) and check if you are recieving radius access-request packets on it and whether the server is sending out packets like radius access-challenge or access-reject.

Author Comment

ID: 37824049
The IP is

Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?  
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question