ASA as a customer Radius in ACA

Hi all

I added ASA as Radius (version 8.0) client to the ACS (version 4.2) server. When I do "test the aaa authentication" on SAA and run 'debug RADIUS', I got this error message:

aaa authentication ACS host 10.1.2.25 test test passwo username $
INFO: Attempt to <10.1.2.25>IP address authentication test (timeout: 12 seconds)
Ray mkreq: 0x6cb
alloc_rip 0x29f79044
new application 0x6cb--> 221 (0x29f79044)
obtained the user 'test '.
has obtained the password
add_req 0x29f79044 0x6cb 221 session id
RADIUS_REQUEST
RADIUS.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Data of raw packets (length = 62)...
01 dd 00 3F 11 76 77 02 13 50 49 6f 7 c 4F 4 d e4 |  ... > .vw. M... PINo |
05 5 a 8 b 68 01 06 74 65 73 74 02 12 11 ca 28 65 |  . Z.h.. test... (e
A4 49 ee 8 a 76 46 29 10 3rd f9 3f 04 06 ac 1B 1f |  . I have... FV). >. ? .....
FB 02 05 06 00 00 00 28 06 00 00 00 05 3d |  ....... (=.....

Packet analyzed data...
RADIUS: Code = 1 (0x01)
RADIUS: Identifier = 221 (0xDD)
RADIUS: Length = 62 (0x003E)
RADIUS: Vector: 117677E44D021350494E6F7C055A8B68
RADIUS: Type = 1 (0x01) - user name
RADIUS: Length = 6 (0x06)
RADIUS: Value (String) =
74 65 73 74                                        |  test
RADIUS: Type = 2 (0x02) username-password
RADIUS: Length = 18 (0x12)
RADIUS: Value (String) =
11 ca 28 65 a4 49 ee 8 a 76 46 29 10 3rd f9 3f 1f |  .. (EI. FV). >. ?.
RADIUS: Type = 4 NAS-IP-Address (0x04)
RADIUS: Length = 6 (0x06)
RADIUS: Value (IP address) = 172.27.251.2 (0xAC1BFB02)
RADIUS: Type = 5 (0x05) NAS-Port
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0 x 28
RADIUS: Type = 61 (0x3D) NAS-Port-Type
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x5
Send 10.1.2.25/1645 pkt
RIP 0x29f79044 id State 7 221
rad_vrfy(): bad auth req
rad_procpkt: radvrfy failed
RADIUS_DELETE
remove_req 0x29f79044 0x6cb 221 session id
free_rip 0x29f79044
RADIUS: send empty queue
ERROR: Authentication server is unresponsive: failure of decoding AAA... secret server incompatibility

and I know not secret shared is the match between the ASA and ACS. any suggestions would be much appreciated.

Thank you

Alex

Hi Alex,

The ASA is defined in any NDG to GBA?

If so, please remove the secret shared the NDG and try once again to test authentication please.

Let me know how it goes.

Kind regards

Anisha

PS: Please mark this thread solved if you think that your query is answered.

Tags: Cisco Security

Similar Questions

  • change the customer RADIUS attributes sent by switch

    I recently started to use NPS to authenticate logins to my Cisco devices and I have the basics of work.  However, I have a need to add an additional constraint corresponding to my NPS network policies.

    Now I use the friendly name of the RADIUS client and/or IP address but I can't find the template for the syntax of these constraints NPS can do what I need without I create literally dozens of policies.  I need somehow add an attribute to a certain group of switches so that I can "filter" which group AD Windows can connect to them by using a strategy that corresponds to that custom attribute.

    In the constraint list NPS, I see I have a few options like 'Called Station ID', 'NAS ID' and 'Customer Vendor ID', etc. available.  Is there a way to change these attributes of the switch and send them to the NPS then I could achieve what I want.  For example, I could set up the 'Client Vendor ID' of my special switches with custom data that I could then use to match the political refusal NPS.

    Any ideas?

    TIA

    Hello Diego again :)

    I checked with a friend who used the NPS more than me and he was not aware of a way to create groups of location"in NPS or something similar where you can distinguish two different NADs.

    However, it provided an interesting solution. He suggested that we use a regular expression in the field identifier Sin in NPS. The regular expression would be for the IP subnet for that particular site. For example, assume that you have two sites:

    1 A: site with local subnet of 192.168.30.x 24

    2. site B: with local subnet of 10.10.1.x 24

    In NPS, you can build a rules like this:

     If NAS Identifier is 10\.10\.1\.* and AD Group is Site_B_Admins Then Full access

    And for the Site A

     If NAS Identifier is 192\.168\.30\.* and AD Group is Site_A_Admins Then Full access

    Of course, to do this, each site must have a single subnet that does not overlap with other sites.

    Hope that gives you some kind of a solution

  • ASA college level of RADIUS (Cisco ISE)

    Dear,

    I have treid to authenticate access management ASA of ISE and it works fine, when I tried to push private level 15 to him even in private 1.

    I am using my version, Cisco-AV-pair attribute ASA 9.0

    Thank you

    Even if you press on cisco-av-pair attribute as shell: priv-lvl = 15 ASA, it won't allow you to land directly on the privileged exec mode. You supply enable password until you get # mode.

    https://supportforums.Cisco.com/thread/2201512

    Let me know if you have any other requirement.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • ASA disconnects the customer due to the XAUTH failure even if XAUTH disabled

    Dear friends,

    I am creating an IPsec tunnel between a ZyXEL ZyWALL P1 hardware firewall and an ASA 5510, OS version 8.0 (2). The two parties should authenticate using X.509 PKI certificates without no XAUTH authentication only.

    The current configuration of the ASA software Cisco VPN Clients to connect without any problems. However, when I try to connect the ZyWALL, ASA complains about the "peer is not authenticated by xauth - drop connection" and he abandoned the connection. This intrigues me, that both the ZyWALL hardware and software clients are managed by the same group of tunnel in which the XAUTH is disabled with the command ""isakmp ikev1-user authentication no"." My goal, obviously, is to configure the ASA in such a way that it will be possible to create a tunnel between the ASA and the ZyWALL IPsec authenticated using certificates only, without the XAUTH.

    The ZyWALL does not seem compatible with the configuration MODE. I don't know if it is a remarkable fact, but I'm there to completeness.

    I am attaching the relevant extracts from the configuration and the output of the command debug crypto isakmp 127 . A short explanation of the different addresses in the debug output:

    • 158.193.139.0/24 is the public sector in the laboratory where the ZyWALL device is tested
    • 192.168.167.0/24 is the segment private behind the ZyWALL (its 'LAN' interface) device
    • 172.27.137.0/24 is the segment private behind the ASA to customers access via IPsec

    I am very grateful for any advice you can give me!

    Best regards

    Peter

    Peter,

    Well, I needed to read a large part of your email address.

    I understand you want to basically your firewall, zyxel to act as a clinet ezvpn (note that it doesn't send beacon of unity in MM1) and not a l2l tunnel.

    Group = TG-RAIS, Username = Peter Paluch VPN, IP = 158.193.139.173, processing hash payload

    Anywhere this username configured on the firewall, zyxel?

    Marcin

  • ASA 5505 like customer VPN simple AM _ACTIVE status

    Hi Experts,

    We have an ASA5505 which is configured to operate as a simple customer VPN. The output of isakmp #show his indicates the State of the tunnels as AM_ACTIVE.

    But we are not able to establish connectivity to one of the Interior knots.

    What does AM_ACTIVE mean? My understanding of all the Clients VPN easy hardware or software, use aggressive Mode and the tunnel is set up and works. Easy VPN server configurations is not under our management, which is most likely a router, and we believe that it is the problem of configuration at the server end.

    In addition, there is virtually nothing to do on one customer another easy VPN that specify authentication and tunnel group information in the client, and it must be connected. All other configurations are pushed from the end of Easy VPN Server, right?

    The output of ipsec #show his , noted the following

    dynamic allocated peer ip: 0.0.0.0 ---> is this to say that this isn't my ASA5505 assigned any IP by the easy VPN server?

    #pkts program: 3, #pkts encrypt: 3, #pkts digest: 3

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0 ---> no decryption, which probably means that there is no response from the remote end, right?

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 3, comp #pkts failed: 0, #pkts Dang failed: 0

    success #frag before: 0, failures before #frag: 0, #fragments created: 0

    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

    #send errors: 0, #recv errors: 0

    #show vpnclient detail out I saw a lot of ISAKMP policy being created.

    -------------------------------------------

    crypto ISAKMP policy 65001

    xauth-pre-sharing authentication

    aes-256 encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65002

    xauth-pre-sharing authentication

    aes-256 encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65003

    xauth-pre-sharing authentication

    aes-192 encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65004

    xauth-pre-sharing authentication

    aes-192 encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65005

    xauth-pre-sharing authentication

    aes encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65006

    xauth-pre-sharing authentication

    aes encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65007

    xauth-pre-sharing authentication

    3des encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65008

    xauth-pre-sharing authentication

    3des encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65009

    xauth-pre-sharing authentication

    the Encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65010

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65011

    preshared authentication

    aes-256 encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65012

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65013

    preshared authentication

    aes-192 encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65014

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65015

    preshared authentication

    aes encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65016

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65017

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 2147483647

    crypto ISAKMP policy 65018

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 2147483647

    --------------------

    This may possibly be due to a bad end of server configuration and the cause of not being able to establish connectivity to the end server nodes?

    Help, please! Sorry for the mess, but we want to just make sure that it isn't something wrong with the configuration on our side!

    Kind regards

    ANUP sisi

    There are 2 phases of IPSec: IKE (Phase 1), status of the AM_Active Phase 1 means is running, and IPSec (Phase 2), and if you have both figure and decrypts increment which means the tunnel past the traffic.

    Based on the output, the VPN tunnel is up and sends traffic to the network/VPN server, however, there is no response in return.

    You should check the end of the VPN server to see if there is no configuration issues. Discover the NAT exemption and ensure that you have configured on the network head. How do you set as? PAT/Client mode or NEM?

  • IPSec VPN authentication problem against AD by RADIUS/ISA

    As background, I have a VPN IPSec authentication against the local database upward and running with access to my internal network and work with zero issues.

    So I would move offshore to the local database authentication and boince it is outside my ad.  I am running 2003 server so I configure ISA Server RADIUS and think I have it properly configured.  It is registered in the AD, I added my asa as a customer radius, customized remote access and connection request policies.

    The test of authentication in the ASDM he succeeds with all users who need.

    During the test through my client vpn on a remote computer, I get the connection terminated by a peer, no reason given.

    It is said of the event on the domain controller logs

    -l' user domain - user % name % has had access.

    directly after this, there is an entry

    -VPN-RADIUS-GP is denied access

    where VPN-RADIUS-GP is the name of the tunnel group policy in my ASA.

    Ive tried a lot of literature and a few forums and have not yet find any explanation as to why this would happen as username trying to authenticate to the ISA

    Anyone have any ideas?

    Thank you

    Mac

    group-policy VPN-Radius-GP external server-group VPN_Radius_Auth password aaaaaaaaaaaaaaaaaaaaaa

    It is a group-foreign policy, by definition, that it is defined on the AAA server group policy, so the ASA sends a radius access request to retrieve the attributes of group policy.

    See for example http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1133706

    If this isn't what you want, then just remove the group policy and use internal (as the "q101 VPN GP" you).

    HTH

    Herbert

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • Question about authentication SDI on AnyConnct and ASA

    Hi all

    I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.

    My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.

    I understand that ASA provides two modes to allow authentication SDI.

    Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
    RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.

    I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.

    So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).

    The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...

    I found the following information of CEC.

    ==========
    When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
    ==========

    This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?

    Your information would be appreciated.

    Best regards

    Shinichi

    Shinichi,

    I had a quick glance at the data sheet

    http://www.RSA.com/node.aspx?ID=3481

    I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)

    Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)

    Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.

    Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.

    Marcin

  • ASA VPN with ISE and different backends WBS for authentication

    Hello

    I have an AAA-problem I hope to have a few problems help.

    The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

    BACKGROUND:

    I'll try to give you a brief picture of the scenario, this is what I currently have.

    A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

    (1) certificate (on chip card)

    (2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

    (3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

    The choice corresponds to different groups of profiles/Tunnel connection.

    Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

    THE PROBLEM:

    The problem occurs when I try to put in the ISE in the mixture.

    What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

    Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

    For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

    WHAT WE CALL:

    At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

    QUESTION:

    The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

    I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

    Best regards

    / Mattias

    I think you can hit the following problem:

    CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

    This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

    Workaround

    Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

  • ASA AAA

    Hello

    I want to combine all the features of AAA we have today in different radius to an ISE installation servers.

    I now wonder how to differentiate a connection of the administrative apparatus (SSH/ASDM) a VPN to the user, so the radius requests to the same server.

    I see that nothing in the ASA - request - attributes Radius which differs depending on the use of Microsoft case. Any advice?

    Best regards

    / Mattias

    Mattias salvation,

    at the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects. Don't know if an admin access request must contain the customer Type = 0 or if it does not include this attribute.

    But without doubt, you have even those which, as you can simply press the IETF service type attribute, cfr:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_aaa.html#wp1136429

    HTH

    Herbert

  • ACS NAC 5.2 comments Sponor Radius Authentication

    For some reason, I can't get the Hall "sponsors" for authentication on the server of comments of the NAC (2.0.2) using ACS 5.2 via Radius.

    I managed to find a way to get feedback from the NAC authentication Radius for 'Administrator' to work by adding the value of custom RADIUS IEFT-6 under...

    • Elements of strategy
    • Authorization & permissions
    • Access to the network
    • Authorization profiles

    I added a strategy & tab attributes Radius... I manually entered an attribute that looks like the following:

    • Dictionary type: = IETF RADIUS
    • The RADIUS attribute: = Type of Service
    • Type of attribute: = enumeration
    • Attribute value: = static
    • Value = "administrative".

    Then I created an access policy... I looked for an ad group specific - result = 'Name of custom political upstairs'...

    All this works fine... the Docs of the NAC comments you say the Radius server must return a value of IETF-6...

    When he enters in the sponsor section, it does not tell you the value of your server Radius must return... so just to smile, instead of 'Name custom top political', I tried "Allow access"... I tried the 'name of the custom policy above "...  Don't know what else to try to get this working... Anyone have any ideas?

    This is a similar to the document I'm following:

    http://www.Cisco.com/en/us/docs/security/NAC/guestserver/configuration_guide/20/nacguestsrvr.PDF

    Page 68 refers to the "Sponsor configuration authentication" Ray... it just tell you to change the order of authentication & add the Radius server...

    Use NAS prompt (7) instead of administrative (6) for users of sponsor.

    -Jesse

  • connect Cisco VPN client v5 to asa 5505

    I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.

    Cannot ping asa 5505

    Any ideas on what I missed?

    Try adding...

    ISAKMP nat-traversal crypto

    In addition, you cannot ping the inside interface of the ASA vpn without this command...

    management-access inside

    Please evaluate the useful messages.

  • ASA and Phonefactor

    I'll try to get my ASA to authenticate users Anyconnect with Phonefactor authentication. Has anyone successfully done this before?

    Hi Jason,

    For that to work, you must configure the ASA to send a RADIUS request to PhoneFactor, you must set the timeout of RADIUS there so so that the ASA is not downtime waiting for a response from PhoneFactor.  Thus, both the ASA and the AnyConnect client must have enough downtime for the call that will take place and get an answer.

    By default, AnyConnect expects up to 12 seconds for authentication of the SAA before terminating the connection attempt. You can change this value in the XML profile as follows:

    To set the time of 90 seconds authentication:


    90

    You can see the release notes that describes the 'authentication Timeout control' to:

    Control of authentication Timeout

    The rest of the configuration is a client AnyConnect fairly common authentication with a Radius server.

    Let me know if you have any questions.

    Portu.

    Please note all useful posts

  • Authentication via Radius VPN

    I wonder if anyone has experience due to error.

    I have cisco ASA firewall, I configure AAA authentication to my Active Directory server. In my Active Directory server, I set up my ASA firewall as my Radius client.

    For authentication user my VPN, I set up my VPN user to authenticate through Active Directory server.

    In my Active Directory server, I have several groups. Some users are ABC GROUP, most of the users are in GROUP-XYZ.

    Users who are members of the ABC GROUP can connect successfully.

    Users who are members of the GROUP-XYZ cannot connect, keep Cisco VPN client to invite users to authenticate.

    ASA firewall gives error: load error processing useful: payload ID: 14

    When I add the user to become a member of the ABC GROUP, the user is able to connect successfully.

    Cisco ASA firewall, I see not all configurations that associate on behalf of Active Directory group.

    Hello

    Check the output of radius aaa/debugging debugging on the SAA for clues.

    I guess you are using NPS Microsoft, search newspapers all index.

    My assumption (a wild guess): check on your Active Directory directory group policies, check the 'grant dial in' setting and next to her another similar setting (I forgot the details, if there is more than one year, when I finally saw him), compare with NPS documentation and compare the two groups (pass/fail).

    Also check your policies for authentication on the network POLICY server if you have more than one.

    Hope that helps,

    MiKa

  • Cisco ASA webvpn - recording of the ACL

    Hello

    I try to configure my cisco asa 5520 without customer webvpn connections get recorded. My ACEs getting hit, but no logentry is created:

    SSLVPN_Personal list of access; 2 items
    access-list SSLVPN_Personal line 1 webtype allow url https://*. XYZ. ABC.de 1 interval (hitcnt = 41) alerts

    How can I check the webvpn users do?

    Look at syslogs 716003 and 716004 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/system/message/logmsgs.html#wp4776945

    716003

    Error Message   %ASA-6-716003: Group group User user IP ip WebVPN access "GRANTED: url"

    Explanation of the WebVPN user in this group at the specified IP address has access to that URL. The user access to various locations can be controlled using WebVPN specific ACL.

    Recommended not required action.

    716004

    Error Message   %ASA-6-716004: Group group User user WebVPN access DENIED to specified location: url

    WebVPN user explanation in this group has denied access to this URL. The user access to various places of WebVPN can be controlled using WebVPN specific ACL. In this case, a particular entry is denying access to this URL.

    Recommended not required action.

Maybe you are looking for

  • Satellite C660-28 d - keyboard and touch pad problems

    Hey guys,. In the past months, my laptop had become almost unusable. It began with the key odd work stoppage or becomes difficult to use, but now it happened to many of them and last night my touch pad stopped working all together. I'm not really a t

  • USB to Serial Port Adapter

    Hi, my laptop is not a serial port. If I want to connect to some hardware using RS-232, RS-485, CANBUS etc, will I have problems using a serial USB adapter? When I was programming PIC microcontrollers, we were told not to use adapters to program the

  • Windows Installer does not not with vista basic error code #641

    WINDOWS INSTALL DOES NOT WORK ON VISTA BASIC.  I HAVE RCD CODE ERROR #641 PLEASE HELP

  • Problem connecting to some websites on the internet

    My son is in the training camp at Great Lakes, HE.  I keep trying to go online marine sites to get info and will not open.  For example www.bootcamp.navy.mil I could access these sites on different PC, so the problem must be just this PC.  If you cou

  • To load a png image using img_load_file()

    I'm trying to load a png image file in my application to screen_blit later to a window.  I have a few questions: 1. How can I find the full path to a file in my package? 2. can I use img_load_file to decompress a png in RGBA8888 fits the image uncomp