Symptom
Radius traffic not passing after the lina upgrade,9.18.2 and above versions also the radius server not responding, however, after the downgrade to ASA 9.18.1, it starts to work properly and we confirmed that by debugs and captures.
Conditions
Customer is using ASAv on AWS and running the version 9.18.4 and they have a site to site tunnel between ASAv and Meraki, the tunnel is up and passing traffic without any issue before the upgrade. The Radius server is located behind the Meraki FW so it is reachable through the site-to-site tunnel.
Workaround
1. Enable radius server on the outside interface
2. Change IPsec ACL as "outside to radius ip" on both ASA and peer side (of course in reverse)
3. On NPS server (behind the peer side),we must configure the new client ip address as ASA’s outside interface ip because radius packet will come with this ip.
4. Need to change the Nat statement if it is used.
Further Problem Description
None.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and determined that it does not have a security impact that requires PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. There is no PSIRT restriction that prohibits making this bug visible.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
