Help - 2610/Radius/PIX/NAT

Help - 2610/Radius/PIX/NAT
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?

General Cisco Forum - Cisco Systems - Hardware Software and Security News and Discussions 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Help - 2610/Radius/PIX/NAT Matthew Boehm 11-11-2004
If you were  Registered and logged in, you could reply and use other advanced thread options
Posted by Matthew Boehm on November 11, 2004, 2:12 pm
Hello,
I have the following setup:

2610 (office/internal IPs) --> 2611 (downtown) -> PIX -> Catalyst switch
(public IPs) --> Radius server

Off the Catalyst are other machines and some other routers. These routers
have no problem accessing and being authenticated by the radius server,
because they are all using public IPs.

The 2610 is a 10.0.0.* address trying to access a 212.44.33.* address (the
radius server, and no that isnt our real address space. ive changed it.)

Watching the Radius logs, I can see that the 2610 sends an auth-request to
the radius. The radius server sees the request as coming from the IP of the
PIX, because of the NAT. The password is verified and I can see that the
radius sends an auth-ok back to the pix. But it stops there. The 2610 never
receives the auth-ok.

Obviously I need to change something in the PIX, but I know very little
about Cisco firewalls.

Any help would be greatly appreciated.

Thanks,
Matthew




Posted by Walter Roberson on November 12, 2004, 1:53 am
:2610 (office/internal IPs) --> 2611 (downtown) -> PIX -> Catalyst switch
:(public IPs) --> Radius server

:Watching the Radius logs, I can see that the 2610 sends an auth-request to
:the radius. The radius server sees the request as coming from the IP of the
:PIX, because of the NAT. The password is verified and I can see that the
:radius sends an auth-ok back to the pix. But it stops there. The 2610 never
:receives the auth-ok.

:Obviously I need to change something in the PIX, but I know very little
:about Cisco firewalls.

Checking RFC 2058, I see that RADIUS uses UDP. You may have to
configure the access controls associated with the outside interface of
the PIX to allow radius responses back in, particularily if you are using
older software. The port number might be 1812 (RFC 2138/2139)
or might be 1645 (PIX uses that by default when it is trying to
do RADIUS authentication right on the PIX.)
--
Take care in opening this message: My grasp on reality may have shaken
loose during transmission!



other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map