The latter is my case - CBAC/ZFW is on the path of RADIUS traffic. I understand the methods of finding the culprit. It just adds on to the overall overhead and eats up your precious time during the lab.
From: Fawad Khan [mailto:[email protected]] Sent: Sunday, June 10, 2012 6:14 PM To: Eugene Pefti Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] RADIUS ports in ASA and IOS I am not sure if I am getting you. ACS listens on all the required ports. If Asa is initiating traffic then ACS will know how to handle it. Only time there can be a problem is when there is another firewall in the form of Asa or IOS(cbac/zone based fw) between the Asa and the ACS. In this case you will see warning on the console of blocking(not initiating) ASA or the blocking IOS. On Sunday, June 10, 2012, Eugene Pefti wrote: Good point, Fawad. What if ASA originates RADIUS traffic on its own, i.e. authenticating/authorizing users. Then if it can't reach RADIUS it will spew something like "AAA server marked unusable" I believe because if I don't define RADIUS ports it will use default ones - 1645/1646. So the rule of thumb is testing aaa from ASA I hope. From: Fawad Khan [mailto:[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>] Sent: Sunday, June 10, 2012 4:41 PM To: Eugene Pefti Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] RADIUS ports in ASA and IOS Logging console warning on Asa really helps. It will tell you immediately what ip, protocol and port to open if the traffic is originating from outside because there is an acl (usullay) on it. On Sunday, June 10, 2012, Eugene Pefti wrote: It's more of a rhetoric question. I'm a little bit disappointed by the fact that ASA and IOS developers are not on the same page when defining ports for RADIUS. When you ask the router about it it knows only knew ports: R3#sh ip port-map | in radius Default mapping: radius udp port 1812,1813 system defined ASA on the other hand references older RADIUS ports 1645 and 1646 in their reference guides: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_ports.html#wp1007738 I wonder will I lose points if I forget include both protocol sets? -- FNK -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
