Good point, Fawad. What if ASA originates RADIUS traffic on its own, i.e. authenticating/authorizing users. Then if it can't reach RADIUS it will spew something like "AAA server marked unusable" I believe because if I don't define RADIUS ports it will use default ones - 1645/1646. So the rule of thumb is testing aaa from ASA I hope.
From: Fawad Khan [mailto:[email protected]] Sent: Sunday, June 10, 2012 4:41 PM To: Eugene Pefti Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] RADIUS ports in ASA and IOS Logging console warning on Asa really helps. It will tell you immediately what ip, protocol and port to open if the traffic is originating from outside because there is an acl (usullay) on it. On Sunday, June 10, 2012, Eugene Pefti wrote: It's more of a rhetoric question. I'm a little bit disappointed by the fact that ASA and IOS developers are not on the same page when defining ports for RADIUS. When you ask the router about it it knows only knew ports: R3#sh ip port-map | in radius Default mapping: radius udp port 1812,1813 system defined ASA on the other hand references older RADIUS ports 1645 and 1646 in their reference guides: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_ports.html#wp1007738 I wonder will I lose points if I forget include both protocol sets? -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
