cancel
Showing results for 
Search instead for 
Did you mean: 

External radius server

john_kay_k2wnou
New Contributor III
I have a bunch of ZD1200 and ZD3000 units at multiple sites. I am wanting to setup a Windows Server 2016 box to use NPS for radius. I am having a difficult time getting this to work. My best guess is an issue with routing/nat.

In my test lab I have a ZD behind a Cisco ASA. The ZD has a private IP but has internet access. The Radius server is behind another ASA with a private IP and has internet access. I can never get traffic all the way to the radius server from the ZD.

Can someone share some insight?

Thank you
7 REPLIES 7

tony_heung
Contributor II
How about running capture command on both inside and outside interfaces on both ASA1 and ASA2 at the same time?  So you can map on tcpdump to see if the L3 (ie: src/dst ip/port are expected ones) and the RADIUS payload is what you expected too (ie: NAS IP is nat'ed).

--tony

john_kay_k2wnou
New Contributor III
Tony,

Over the weekend I set my wireless at home to authenticate with the radius box at my office. I was able to see it come to the radius server using wireshark. However like you said the NAS ip is nat'ed. What type of NAT do I need to setup in order for this to work?

Thanks for your input

tony_heung
Contributor II
John, two possible ways you can experiment.  First possibility is to allow all NAS ip as * on NPS so it does not matter if the NAS ip is nat'ed which is different from the originator ip.  If it works, you will need to lock down the ACL and NAT rules on ASA to prevent unauthorised access.  Second possibility is the put a destination NAT rule on the ASA (where the NPS terminated) so the source ip of the RADIUS packet would has the same source IP as if coming from the ZD, eg: ZD is 10.10.0.1, while your NPS side of the ASA would say the packet coming from the ZD would leave the ASA interface with 10.10.0.1 as the source ip replacing the public IP address of the ZD side of the ASA outside interface.  But you need to have the corresponding rule on the NPS side of ASA so the return packet back to 10.10.0.1 will know the way back to the ZD via the ASA.

Final possibility to redesign the implementation is to create ipsec site to site tunnel between the two ASAs so RADIUS would just work.

Hope it helps.