Solved

Authenticate outside RADIUS client to inside RADIUS Server through Cisco ASA 5505

Posted on 2012-04-09
4
1,530 Views
Last Modified: 2012-08-05
I have a proprietary RADIUS client that lives at a customers network.  The client software authenticates local user wireless access requests to a RADIUS server software product that lives on our main inside network behind a Cisco ASA 5505 ver8.2 (5).  I have added the NAT and Firewal Rules to static the inside address of the RADIUS Server as well as allow "any" to the RADIUS Servers ports (1812, 1813).  So the inside radius server has both a static rule to its inside address as well as a public ip firewall rule.
The problem is the clients at the customer network cannot authenticate to the inside radius server on the main network.

I think the ASA is stripping off the dest header and replacing it with the ASA outside address of the ASA because I see in syslog that incoming requests are coming fine and going out but the client is not authenticating.

I will be working on a scrubbed config to post.
0
Comment
Question by:mgchar7
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37823645
Is the radius server checking for the "Message authenticator field". In IAS there is an option where this option can be enabled or disabled.

If this is enabled, the NAT , during the process of re-writing the original header from the client, might be forcing to alter this value. You could check by disabling the check and trying.

Also what is the IP of the radius server which you have configured on the client (Is it the outside interface IP of ASA or actual IP of the radius server ) ?
0
 

Author Comment

by:mgchar7
ID: 37823830
Not sure on the Message auth field.  Its just a small radius server product that authenticates users to an SQL database via SIP internally.  I will have to check.

The IP of the radius server on the inside is 192.168.1.101.  The NAT'd static is 14.14.14.14 (for illustration only-not the real ip).

Here is the config:

static (inside,outside) udp 14.14.14.14 1812 192.168.1.101 1812 netmask 255.255.255.255
static (inside,outside) udp 14.14.14.14 1813 192.168.1.101 1813 netmask 255.255.255.255
static (inside,outside) tcp 14.14.14.14 1812 192.168.1.101 8880 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 14.14.14.14 eq 8880
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1812
access-list outside_access_in extended permit udp any host 14.14.14.14 eq 1813

The inside radius server listens on 1812 but also communicates to clients on 1813 and 8880.
0
 
LVL 5

Accepted Solution

by:
andrew1812 earned 500 total points
ID: 37823929
On the radius client , is the radius server IP address provided as 192.168.1.101 or 14.14.14.14. I presume that you would have provided 14.14.14.14 since a NAT is configured. please correct if my presumption is wrong


The shared radius key , which is configured on the radius server and the client is used to create a hash. So the value of 14.14.14.14 would be used to create the hash which would be causing a mismatch on the radius server.

Check with a protocol analyzer (wireshark) or analyze the logs on the machine ( radius server) and check if you are recieving radius access-request packets on it and whether the server is sending out packets like radius access-challenge or access-reject.
0
 

Author Comment

by:mgchar7
ID: 37824049
The IP is 14.14.14.14

Is all that is necessary to extend RADIUS Authentication from an inside (ASA) RADIUS server to an outside RADIUS Client is that we NAT and STATIC the inside ports to an outside IP, provide the outside client with the public ip and then set the rules in the firewall to either allow any outside connection to the public ip or allow by clients public ip?  
I am mainly concerned that the ASA should have an inspection map or radius proxy to properly interpret and NAT radius authentication requests from an outside radius client.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now