paradigm_IS
asked on
Cisco Wireless Access point having trouble contacting RADIUS server over VPN tunnel
Hi,
We have a Cisco 1602i access point that is in a geographically remote office from the home office and network where the RADIUS server exists that we wish to use to authenticate to.
The offices are joined by a VPN tunnel between an ASA 5510 (home office) where the RADIUS server lives and an ASA5505 in the remote office where the AP lives.
However, the AP, cannot contact the RADIUS server even though the tunnel is wide open, with no port restrictions. We also cannot connect to the remote AP's GUI or SSH to it from the network where the RADIUS server lives.
The AP is up and we can manage it by using a computer on the same network as it. SSH, GUI, Telnet all work. It doesn't even respond to pings, even though other devices do on the same network.
So my basic question is, can a Cisco AP only contact devices on the same subnet? That would seem like a silly limitation for an enterprise device that would be deployed in a remote setting.
We have a Cisco SmartNet on the access point, but not on the firewall's, Cisco has commented that it could be a VPN tunnel issue and we should contact their VPN support group but we do not have paid Cisco SmartNet support for that.
Thanks,
We have a Cisco 1602i access point that is in a geographically remote office from the home office and network where the RADIUS server exists that we wish to use to authenticate to.
The offices are joined by a VPN tunnel between an ASA 5510 (home office) where the RADIUS server lives and an ASA5505 in the remote office where the AP lives.
However, the AP, cannot contact the RADIUS server even though the tunnel is wide open, with no port restrictions. We also cannot connect to the remote AP's GUI or SSH to it from the network where the RADIUS server lives.
The AP is up and we can manage it by using a computer on the same network as it. SSH, GUI, Telnet all work. It doesn't even respond to pings, even though other devices do on the same network.
So my basic question is, can a Cisco AP only contact devices on the same subnet? That would seem like a silly limitation for an enterprise device that would be deployed in a remote setting.
We have a Cisco SmartNet on the access point, but not on the firewall's, Cisco has commented that it could be a VPN tunnel issue and we should contact their VPN support group but we do not have paid Cisco SmartNet support for that.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for paradigm_IS's comment #a39487735
for the following reason:
The ip route command in the AP was pointing to a non exisitant address.
Accepted answer: 0 points for paradigm_IS's comment #a39487735
for the following reason:
The ip route command in the AP was pointing to a non exisitant address.
My comment was in regards to checking the gateway which in turn is a route. Per the author's comment "pointed to wrong ip".
ASKER
I see your point in contesting the solution. However, the AP did have the correct default-gateway configured for the BVI1 interface, using the following command, but it still wasn't working:
interface BVI1
ip address 10.0.2.4 255.255.255.0
!
ip default-gateway 10.0.2.1
However, someone else brought it to my attention that the IP ROUTE command was incorrectly pointing to a different IP than the default-gateway, and I didn't realize that the IP ROUTE needed to be the same as the default-gateway.
Not sure why Cisco has this configured in 2 places. Nor do I know what the IP ROUTE command does, versus the DEFAULT-GATEWAY command.
interface BVI1
ip address 10.0.2.4 255.255.255.0
!
ip default-gateway 10.0.2.1
However, someone else brought it to my attention that the IP ROUTE command was incorrectly pointing to a different IP than the default-gateway, and I didn't realize that the IP ROUTE needed to be the same as the default-gateway.
Not sure why Cisco has this configured in 2 places. Nor do I know what the IP ROUTE command does, versus the DEFAULT-GATEWAY command.
You proved my point. Default gateway and the default route you changed are one in the same, but I will not harbor on it.
ASKER
We had an ip route command pointing to the wrong IP.