I was using the RADIUS lesson to configure an ASA 5505 for management authentication. However I have been unsuccessful. I am using freeRADIUS installed on a laptop 192.168.255.176/24.
ASA 5505 is 192.168.8.5/24. FreeRADIUS can ping the ASA inside interface but ASA can’t ping FreeRADIUS server. Configurtions below. I was looking in the forum for related post but did not find anything. If there is a sample RADIUS configuration to reference I can use the link to you some time.
In your post you mention that the freeRADIUS server has an IP address of 192.168.255.176/24 and that the ASA has an IP address of 192.168.8.5/24. Can you tell us a little more about your topology? Is the freeRadius server directly connected to an ASA interface, and if so, which one? If not, via what interface does it connect? Also, the IP address of the ASA, is that an INSIDE interface?
The reason I’m asking is that the ASA, by default, allows certain communications to take place while blocking others. The issue doesn’t seem to be related to RADIUS or to the ASA AAA config but to basic connectivity.
ALso, the fact that free radius can ping the ASA while the opposite is not possible also indicates that the issue is indeed connectivity. If a ping is possible in one direction it should be possible in the other. However, when pinging from the ASA, it may use a different source interface, resulting in different behavior.
Let us know these details about your topology so we can help you further with your troubleshooting.
I think the issue is that 192.168.8.0 subnet in the middle. The Radius server is inside vm workstation running on the pc.
The .176 in the diagram should be over by the freeradius vm
8.0 255.255.255.0 is directly connected, inside
L 192.168.8.1 255.255.255.255 is directly connected, inside
C 192.168.12.0 255.255.255.0 is directly connected, outside
L 192.168.12.221 255.255.255.255 is directly connected, outside
S 192.168.255.0 255.255.255.0 [1/0] via 192.168.255.5, inside
I bridged the mesh network which removes the 192.168.8.0/24 network. I think it is the mesh having the connection issue.
Authentication works fine without this network in the middle on the mesh wan interface. This was a low priority so you don’t have to spend any more time on this. Thanks
Thanks for sharing more details about your topology. From what you describe, the issue isn’t related to the actual RADIUS configuration but to network connectivity between the ASA and the RADIUS server.
You mention in your previous post that you can ping the ASA INSIDE interface from the RADIUS VM, but not the VM from the ASA. If you can ping in one direction, you should have full network connectivity because, remember, a ping travels in both directions. The fact that you can’t ping from the ASA may be due to the source IP being used by default by the ASA. I explained this further in my previous post. However, looking at the ASA’s routing table here, I doubt that the ping from the VM to the ASA was actually successful.
Looking at the ASA’s routing table, I see that you have a static route to the 192.168.255.0/24 subnet via the 192.168.255.5 next hop, but there is no route to that IP address. So communication with the VM is not possible. Based on your topology, that static route should be:
ip route 192.168.255.0 255.255.255.0 192.168.8.5
Where the 192.168.8.5 address is that of Mesh3, which should lead you to the 192.168.255.0/24 network. Take a look at your network configuration and ensure that you have network connectivity.
One question, what are the Mesh devices, are they wireless? And how are the subnets configured for those mesh devices, automatically or do you configure them manually?
Let us know how you get along so that we can help you further.
I agree ping should work in both directions. traceroute from ASA
shows it’s not leaving the ASA. Looks like it can’t find a route out.
You mention the route entry should be ip route 192.168.255.0 255.255.255.0 192.168.8.5
The syntax for adding routing entries on the ASA is route inside network netmask gateway
I’ve attached a screen shot of the freeradius output
from the successfule ping command
The Mesh devices are Tenda MW6 wireless
The mesh dhcp is handing out 192.168.255.0/24 on the inside network
192.168.255.254/24 is the gateway
The ASA is handing out 192.168.8.5-192.168.8.10 which is where the
WAN interface on the Tenda Mesh gets .5
.1 was manually entered on the asa inside interface
MW6 doesn’t support any routing protocols or trunking
I think I’m trying to get the MW6 to do something it’d not designed to do.
You guys don’t have to spend any more time on this. Only a home network.
This will work when I put the mesh in bridge mode and let the ASA
handle the addressing. Lets close it out.
Ha! yes you are correct. I was rushing and responded incorrectly. Thanks for pointing that out. Also thanks for sharing more details about your topology and where you suspect the problem may reside. I hope it works out, and if you do continue troubleshooting and have any updates, let us know!
yes you are correct. I was rushing and responded incorrectly. Thanks for pointing that out. Also thanks for sharing more details about your topology and where you suspect the problem may reside. I hope it works out, and if you do continue troubleshooting and have any updates, let us know!