https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784443#M56659 <P>*SOLVED*</P> <P>-After upgrading from&nbsp;<SPAN><SPAN>8.4(3) to 8.4(7)23 it started working. &nbsp;There must have been a bug with the version of code we were running.</SPAN></SPAN></P> <P></P> <P>Hey folks!</P> <P>I'm trying to do direct authentication on a 5510 and running into some problems. &nbsp;It works in another area of our network with a 5505, and I have a suspicion it's SSL related, but I'm not sure. &nbsp;I'm hoping you experts can shed some light on this. &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>When I try to authenticate against the ASA to start the direct authentication process, I get presented with a certificate warning (expected), but when I tell it to proceed, it just keeps "spinning" and doesn't give me the login prompt - never returns a timeout or anything. &nbsp;Here is the relevent config:</P> <P>aaa authentication listener https UNTRUSTED port 3456 redirect</P> <P>aaa authentication match DIRECT_AUTH_UNTRUSTED UNTRUSTED MY-RADIUS</P> <P>access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET any object-group HTTP_HTTPS_TCP<BR />access-list DIRECT_AUTH_UNTRUSTED extended permit udp object-group UNTRUSTED_SUBNET object-group GOOGLE_DNS eq domain<BR />access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET host 10.0.240.1 eq 3456</P> <P>Here is the output of show logg. &nbsp;10.0.240.65 is the interface that is listening for direct authentication attempts and .66 is the client machine trying to get access:</P> <P>HQ-FW1# show logg | inc 10.0.240.65<BR />Nov 17 2015 16:54:17: %ASA-6-302014: Teardown TCP connection 6478 for LIMITED_ACCESS:10.0.240.66/6628 to identity:10.0.240.65/3456 duration 0:57:11 bytes 902 TCP Reset-I<BR />Nov 17 2015 16:54:21: %ASA-6-302013: Built inbound TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 (10.0.240.66/7211) to identity:10.0.240.65/3456 (10.0.240.65/3456)<BR />Nov 17 2015 16:54:21: %ASA-6-302014: Teardown TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I<BR />Nov 17 2015 16:54:23: %ASA-6-302015: Built inbound UDP connection 6891 for LIMITED_ACCESS:10.0.240.66/68 (10.0.240.66/68) to identity:10.0.240.65/67 (10.0.240.65/67)<BR />Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 (10.0.240.66/7216) to identity:10.0.240.65/3456 (10.0.240.65/3456)<BR />Nov 17 2015 16:54:25: %ASA-6-302014: Teardown TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I<BR />Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6894 for LIMITED_ACCESS:10.0.240.66/7217 (10.0.240.66/7217) to identity:10.0.240.65/3456 (10.0.240.65/3456)</P> <P>Here is the output of show asp table socket:</P> <P>HQ-FW1# show asp table sock</P> <P>Protocol Socket Local Address Foreign Address State<BR />SSL 0000869f 10.0.240.1:3456 0.0.0.0:* LISTEN<BR />SSL 0001208f 10.0.240.65:3456 0.0.0.0:* LISTEN<BR />SSL 0002087f 10.0.55.10:443 0.0.0.0:* LISTEN<BR />SSL 0002b97f 10.255.255.22:443 0.0.0.0:* LISTEN<BR />TCP 000309ef 10.0.55.10:22 0.0.0.0:* LISTEN<BR />TCP 0003f62f 10.255.255.22:22 0.0.0.0:* LISTEN<BR />SSL 000ded8f 10.0.240.249:3456 0.0.0.0:* LISTEN<BR />TCP 001a78f8 10.255.255.22:22 10.1.250.243:53275 ESTAB</P> <P>For what it's worth, accessing the GUI over 443 works perfectly fine. &nbsp;I"m not sure what other show or debug commands would be useful, but please let me know and I can provide them.</P> <P></P> <P>Thanks!!!</P> <P></P> <P>mitch</P> <P></P> Mon, 11 Mar 2019 06:14:58 GMT mitchell helton 2019-03-11T06:14:58Z https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784443#M56659 <P>*SOLVED*</P> <P>-After upgrading from&nbsp;<SPAN><SPAN>8.4(3) to 8.4(7)23 it started working. &nbsp;There must have been a bug with the version of code we were running.</SPAN></SPAN></P> <P></P> <P>Hey folks!</P> <P>I'm trying to do direct authentication on a 5510 and running into some problems. &nbsp;It works in another area of our network with a 5505, and I have a suspicion it's SSL related, but I'm not sure. &nbsp;I'm hoping you experts can shed some light on this. &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>When I try to authenticate against the ASA to start the direct authentication process, I get presented with a certificate warning (expected), but when I tell it to proceed, it just keeps "spinning" and doesn't give me the login prompt - never returns a timeout or anything. &nbsp;Here is the relevent config:</P> <P>aaa authentication listener https UNTRUSTED port 3456 redirect</P> <P>aaa authentication match DIRECT_AUTH_UNTRUSTED UNTRUSTED MY-RADIUS</P> <P>access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET any object-group HTTP_HTTPS_TCP<BR />access-list DIRECT_AUTH_UNTRUSTED extended permit udp object-group UNTRUSTED_SUBNET object-group GOOGLE_DNS eq domain<BR />access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET host 10.0.240.1 eq 3456</P> <P>Here is the output of show logg. &nbsp;10.0.240.65 is the interface that is listening for direct authentication attempts and .66 is the client machine trying to get access:</P> <P>HQ-FW1# show logg | inc 10.0.240.65<BR />Nov 17 2015 16:54:17: %ASA-6-302014: Teardown TCP connection 6478 for LIMITED_ACCESS:10.0.240.66/6628 to identity:10.0.240.65/3456 duration 0:57:11 bytes 902 TCP Reset-I<BR />Nov 17 2015 16:54:21: %ASA-6-302013: Built inbound TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 (10.0.240.66/7211) to identity:10.0.240.65/3456 (10.0.240.65/3456)<BR />Nov 17 2015 16:54:21: %ASA-6-302014: Teardown TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I<BR />Nov 17 2015 16:54:23: %ASA-6-302015: Built inbound UDP connection 6891 for LIMITED_ACCESS:10.0.240.66/68 (10.0.240.66/68) to identity:10.0.240.65/67 (10.0.240.65/67)<BR />Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 (10.0.240.66/7216) to identity:10.0.240.65/3456 (10.0.240.65/3456)<BR />Nov 17 2015 16:54:25: %ASA-6-302014: Teardown TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I<BR />Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6894 for LIMITED_ACCESS:10.0.240.66/7217 (10.0.240.66/7217) to identity:10.0.240.65/3456 (10.0.240.65/3456)</P> <P>Here is the output of show asp table socket:</P> <P>HQ-FW1# show asp table sock</P> <P>Protocol Socket Local Address Foreign Address State<BR />SSL 0000869f 10.0.240.1:3456 0.0.0.0:* LISTEN<BR />SSL 0001208f 10.0.240.65:3456 0.0.0.0:* LISTEN<BR />SSL 0002087f 10.0.55.10:443 0.0.0.0:* LISTEN<BR />SSL 0002b97f 10.255.255.22:443 0.0.0.0:* LISTEN<BR />TCP 000309ef 10.0.55.10:22 0.0.0.0:* LISTEN<BR />TCP 0003f62f 10.255.255.22:22 0.0.0.0:* LISTEN<BR />SSL 000ded8f 10.0.240.249:3456 0.0.0.0:* LISTEN<BR />TCP 001a78f8 10.255.255.22:22 10.1.250.243:53275 ESTAB</P> <P>For what it's worth, accessing the GUI over 443 works perfectly fine. &nbsp;I"m not sure what other show or debug commands would be useful, but please let me know and I can provide them.</P> <P></P> <P>Thanks!!!</P> <P></P> <P>mitch</P> <P></P> Mon, 11 Mar 2019 06:14:58 GMT https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784443#M56659 mitchell helton 2019-03-11T06:14:58Z https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784444#M56660 <P>Good job on solving your own problem and also thank you for taking the time to come back and post the solution here!!&nbsp;</P> <P>Since your issue is resolved, you should mark the thread as "answered" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 22 Nov 2015 05:41:37 GMT https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784444#M56660 nspasov 2015-11-22T05:41:37Z https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784445#M56661 <P>Believe it or not, I tried to do that but couldn't figure out how. &nbsp;How can I mark this as resolved? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 23 Nov 2015 13:59:01 GMT https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784445#M56661 mitchell helton 2015-11-23T13:59:01Z https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784446#M56662 <P>Hmm, I can't rate your your initial comment either...(+5) on your second comment. It has been a while since I have posted so it looks like some things have changed. Perhaps, a Security VIP can do that for us?</P> Mon, 23 Nov 2015 21:20:30 GMT https://community.cisco.com/t5/network-access-control/direct-authentication-problem-might-be-ssl-related/m-p/2784446#M56662 nspasov 2015-11-23T21:20:30Z