topic ASA-active directory agent problem in Network Security

ASA-active directory agent problem

fredy.maizelev — Mon, 11 Mar 2019 20:54:25 GMT

hi all!

im trying to configure the user identity feature on my asa and there isnt real debugging document,so hopefully u can help me.

ive configured my ad agent on a server the installion went well and im able to see users from the AD srv.

ive configured the ASA with the ip address of the AD SRV and im able to reach the srv via LDAP,the problem is in the configuration of the connection to the

ad client via radius (my asa is 10.2.16.110 and the ad client is configured on 10.2.16.169),i do have ip connectivty between the two and i can see in the wireshark that ive opened in the server that i do recieve RADIUS sesions from my ASA but according to the ASA debug the server respone is timed out....

im attaching the debug of the asa and some relevant commands from the AD client hopefully someone can tip me..

the asa debug

---------------------

arsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 44 (0x2C)

Radius: Length = 87 (0x0057)

Radius: Vector: A0591EFFCC152A1BB891F6F764CD8293

Radius: Type = 1 (0x01) User-Name

Radius: Length = 3 (0x03)

Radius: Value (String) =

20 |

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c | entity-attr:cntl

3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65 | :keep-alive=true

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.2.16.110 (0x0A02106E)

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) =

1b c0 0b 2e 52 7a 56 eb c5 b8 80 93 b9 e5 5b 71 | ....RzV.......[q

send pkt 10.2.16.169/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xce7bce7c session 0x3b id 44

free_rip 0xce7bce7c

radius: send queue empty

the ad client config:

---------------------------------

c:\IBF\CLI>adacfg client list

Name IP/Range

-------- --------------

asa-lab2 10.2.16.110/32

c:\IBF\CLI>adacfg client status

Subscribed-IP Sync-Status

------------- -----------

the asa config

-------------------------

aaa-server AD-agent-16.169 (inside) host 10.2.16.169

retry-interval 4

key *****

radius-common-pw *****

no mschapv2-capable

fredy

ASA-active directory agent problem

andamani — Tue, 05 Jul 2011 02:57:25 GMT

Hi Fredy,

Please send the output of the following:

sh run aaa

sh run aaa-server

Kindly enable the following debugs

deb aaa authen

deb radius

Kindly run the following command and let me know the results:

test aaa authen host

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

ASA-active directory agent problem

Tim Schneider — Fri, 29 Jul 2011 11:07:20 GMT

Same problem here.

@Anisha: You can't run test aaa authen on a AD-Agent server groups:

ciscoasa/pri(config)# test aaa-server authen adagent host x.x.x.x

ERROR: This test is not supported for AD agent server groups.

I'm at a loss here, I can't explain why the AD Agent found the ASA and lists it inside the adacfg client list, but the ASA keeps spamming the logg with %ASA-3-3746005.

debug user-identity ad-agent gives me spamming of KEEPALIVE packets send to the AD-Agent.

Re: ASA-active directory agent problem

nathanfink — Tue, 02 Aug 2011 21:26:34 GMT

Having the exact same issue and the firewall is disabled on the DC the adagent is installed on. I can authenticate via LDAP, pull user names and groups and even create acl's with the user names...

however the test aaa-server ad-agent adagent against the DC with the adagent on it fails with

ERROR: Ad-agent Server not responding: No error

and the adacfg client status shows as being blank

ASA-active directory agent problem

Tim Schneider — Tue, 13 Sep 2011 09:04:15 GMT

Wasn't able to fix this yet. Hopefully next week when I'm attending a lab from Cisco I'm able to clear up some things here.

ASA-active directory agent problem

Tim Schneider — Thu, 10 Nov 2011 14:12:01 GMT

Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...

ASA-active directory agent problem

mirober2 — Thu, 10 Nov 2011 16:54:29 GMT

Hi all,

Are there any other applications or services on the server that act as a RADIUS server? This is not supported since we cannot change the hard-coded port the AD Agent's RADIUS server listens on.

Do you see the AD Agent listening on UDP/1645 in the output of 'netstat -anb | more' on the Windows command prompt?

If you're still having trouble after this it would be a good idea to open a TAC case and have this investigated.

-Mike

ASA-active directory agent problem

darren.g — Fri, 11 Nov 2011 04:42:10 GMT

Tim Schneider wrote:

Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...

What are you using on the AD server as the radius client?

I've just done a Radius server using the built-in Windows services and it works fine - my ASA config isn't much different to yours.

I basically followed this

http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

document - maybe it'll help you out also.

Cheers.

ASA-active directory agent problem

steven_lean1u90 — Mon, 02 Apr 2012 06:44:07 GMT

Setup information ASDM 6.4 and ASA 5505 with IOS 8.4.3. Radius server running Windows 2008 R2.

I also received the same error message when I test the Radius server group from ASDM:

ERROR: Ad-agent Server not responding: No error

I have made the following change on my AAA Radius Server Group setting to fix the issue:

configuration > remote access vpn > aaa/local users > aaa server groups

edit radius server group

uncheck enable active directory agent mode

apply and test.

ASA-active directory agent problem

libriskz — Sat, 19 May 2012 11:12:25 GMT

May be it's a bug...(Ethernet interface or ASA)

You need to locate the Agent in the DMZ interface

Cheers.

ASA-active directory agent problem

hvdhelm — Tue, 27 Nov 2012 13:58:19 GMT

Try to disable MSCHAPv2 support on the AAA-server config.

ASA-active directory agent problem

Ivaylo Georgiev — Fri, 12 Jul 2013 03:28:35 GMT

Did anyone figure this out yet?

I am having a similar problem:

test aaa-server ad-agent adagent

Server IP Address or name: 10.5.55.36

INFO: Attempting Ad-agent test to IP address <10.5.55.36> (timeout: 12 seconds)

ERROR: Ad-agent Server not responding: No response from server

sh run aaa-server

aaa-server AD protocol ldap

aaa-server AD (inside) host 10.5.55.36

server-port 389

ldap-base-dn DC=tagltd,DC=com

ldap-scope subtree

ldap-login-password *****

ldap-login-dn cn=aduser,cn=Users,dc=tagltd,dc=com

server-type microsoft

aaa-server adagent protocol radius

ad-agent-mode

aaa-server adagent (inside) host 10.5.55.36

key *****

# sh run aaa

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

in the event log of the domain controller, I see:

"the user account domain cannot be accessed"

the server is widnows 2003 and it is not R2. I am using the built-in radius function.

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 77 (0x4D)

Radius: Length = 87 (0x0057)

Radius: Vector: D42E1169F2C9F06E94CCA6183D3BE1CD

Radius: Type = 1 (0x01) User-Name

Radius: Length = 3 (0x03)

Radius: Value (String) =

20 |

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c | entity-attr:cntl

3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65 | :keep-alive=true

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.5.2.1 (0x0A050201)

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) =

4c 4f 9b 9d 7f 73 96 37 cc 81 16 d9 d8 61 95 be | LO..s.7.....a..

send pkt 10.5.55.36/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0x00007fffa3e3ead8 session 0x40000634 id 75

free_rip 0x00007fffa3e3ead8

ASA-active directory agent problem

hvdhelm — Fri, 12 Jul 2013 07:54:20 GMT

'I am using the built-in radius function'

Witch built-in radius function are you using? IAS from Windows 2003?

In that case you the ports 1812 and 1813 are allready taken by the radius services from IAS.

The AD-agent is a small radius server by itself.

This is a common problem with SBS installations.

ASA-active directory agent problem

Ivaylo Georgiev — Fri, 12 Jul 2013 13:35:17 GMT

Thanks for your reply!

If there are two domain controllers, would it work if we remove IAS from one of them and configure the AD agent there?

I don't have access to the controllers so I was hoping I could get some feedback before making that recommendation.

Re: ASA-active directory agent problem

hvdhelm — Fri, 12 Jul 2013 13:42:04 GMT

Yes you can ..

But ... You don't have have to install the AD-Agent on a domain controller! You can install it on any member server.

Cisco has a perfect howto: http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html