Skip to content

Debugging RADIUS Authentication with Zone-Based Firewalls

February 14, 2012

In my lab network I have a 2801 router acting as the demarc between my Linksys router (home network) and the lab network behind the 2801. All Cisco devices authenticate to a RADIUS install on a server located on my home network. In an effort to keep devices in my lab from accessing my home resources, I set up a zone-based firewall on my 2801. My home network hosts NTP, RADIUS, and TFTP services which the lab network just needs to be pingable and get SSH’d into.

I set up two zones on my router named Lab and Home. Both were assigned to zone pairs while class-maps and policy-maps were properly applied. Or so I thought. When I tried to SSH into lab devices behind the 2801, SSH would work but RADIUS authentication would hang. After analyzing my setup using show run, I decided more troubleshooting was required.

First step was to make sure RADIUS traffic was indeed being blocked by the firewall with debug policy-map type inspect detail. When RADIUS traffic passed, I saw it was indeed dropping packets to or from the standard RADIUS authentication port, 1645. The line to match RADIUS was match protocol radius. My mistake was on relying upon the router to properly detect RADIUS traffic.

RADIUS uses port 1645 for authentication. For reasons I don’t understand, Cisco devices sometimes use 1812. I looked far and wide for a list of applications zone-based firewalls detect and the properties they use for detection, but couldn’t find anything. It became apparent I wasn’t going to defeat this using their built in rules and had to define my own.

I could have created an ACL and applied it to the class-map but wanted to find a cleaner, more ZBF-like way. Cisco includes the ip port-map command which creates custom applications. I defined user-radius (note: user defined applications must begin with user-) which matches to UDP packets from port 1645 to 1646:

Router1(config)# ip port-map user-radius port udp from 1645 to 1646 description Standard RADIUS ports

In very un-Cisco like fashion, my user-radius application even showed in auto-completion when defining my matching protocol. Once the custom protocol was assigned, RADIUS authentication immediately began working.

The lesson for me is not to trust the application definition profiles provided by Cisco in zone-based firewalls.

If you know of a list of zone-based firewall application profiles, please let me know in a comment.


From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s