This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External radius server

john_kay_k2wnou
New Contributor III

‎02-01-2019 01:03 PM

I have a bunch of ZD1200 and ZD3000 units at multiple sites. I am wanting to setup a Windows Server 2016 box to use NPS for radius. I am having a difficult time getting this to work. My best guess is an issue with routing/nat.

In my test lab I have a ZD behind a Cisco ASA. The ZD has a private IP but has internet access. The Radius server is behind another ASA with a private IP and has internet access. I can never get traffic all the way to the radius server from the ZD.

Can someone share some insight?

Thank you
7 REPLIES 7

tony_heung
Contributor II

‎02-01-2019 02:47 PM

How about running capture command on both inside and outside interfaces on both ASA1 and ASA2 at the same time?  So you can map on tcpdump to see if the L3 (ie: src/dst ip/port are expected ones) and the RADIUS payload is what you expected too (ie: NAS IP is nat'ed).

--tony
0 Kudos

john_kay_k2wnou
New Contributor III

‎02-04-2019 05:45 AM

Tony,

Over the weekend I set my wireless at home to authenticate with the radius box at my office. I was able to see it come to the radius server using wireshark. However like you said the NAS ip is nat'ed. What type of NAT do I need to setup in order for this to work?

Thanks for your input
0 Kudos

tony_heung
Contributor II

‎02-04-2019 06:22 AM

John, two possible ways you can experiment.  First possibility is to allow all NAS ip as * on NPS so it does not matter if the NAS ip is nat'ed which is different from the originator ip.  If it works, you will need to lock down the ACL and NAT rules on ASA to prevent unauthorised access.  Second possibility is the put a destination NAT rule on the ASA (where the NPS terminated) so the source ip of the RADIUS packet would has the same source IP as if coming from the ZD, eg: ZD is 10.10.0.1, while your NPS side of the ASA would say the packet coming from the ZD would leave the ASA interface with 10.10.0.1 as the source ip replacing the public IP address of the ZD side of the ASA outside interface.  But you need to have the corresponding rule on the NPS side of ASA so the return packet back to 10.10.0.1 will know the way back to the ZD via the ASA.

Final possibility to redesign the implementation is to create ipsec site to site tunnel between the two ASAs so RADIUS would just work.

Hope it helps.
Copyright © 2024 Khoros, LLC