topic ASA server IAS first authentication failed in Network Security

ASA server IAS first authentication failed

alexandre.sitbon — Mon, 11 Mar 2019 20:42:33 GMT

Hi everyone,

I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.

I have configured a double authentication for my client to access SSL portal:

First authentication: AD server
Secondary authentication: IAS for my token SAFENET ALADDIN

The server IAS is declared on a W2K3 and it's standard.

The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.

I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.

Do you have an idea? Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.

Thanks

ASA server IAS first authentication failed

brquinn — Mon, 06 Jun 2011 14:57:52 GMT

The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.

Which authentication is failing? Is it the AD authentication or the Radius w/ security token? Prior to the failure, what is the status of the servers? You can run "show aaa-server" to find out. Also, what is your reactivation-mode set to?

Also, I would check the debugs to see why the authentication is failing. You can also check the logs on the server to see if the server is rejecting the connection.

Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.

No. You could setup a script to login and use the "test aaa-server authentication" command periodically. But this should not be necessary. I would recommend troubleshooting the root cause rather than trying to mask the problem with workarounds.

Thanks,

Brendan

ASA server IAS first authentication failed

alexandre.sitbon — Mon, 06 Jun 2011 15:21:25 GMT

It's the RADIUS that failed on the first authentication.

My radius and AD servers are in two different aaa-server-group.

My RADIUS server has a reactivation mode: depletion
Dead time: 10 minutes
Timeout: 15s
Retry intervall: 5s

My RADIUS SERVER:

Server port: 1645(authentication), 1646(accounting)
Number of pending requests 0
Average round trip time   1897ms
Number of authentication requests 24
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 11
Number of accepts   12
Number of rejects   8
Number of challenges   0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts   4
Number of unrecognized responses 0

My AD SERVER:

Server port: 0
Number of pending requests 0
Average round trip time   0ms
Number of authentication requests 1779
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts   1682
Number of rejects   97
Number of challenges   0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts   0
Number of unrecognized responses 0

On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.

There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).

I'll check test aaa-server authentication tomorrow.

THanks

ASA server IAS first authentication failed

brquinn — Mon, 06 Jun 2011 16:58:33 GMT

On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.

Which logs? The ASA logs or the Radius server logs? If the Server is failing the authentication, then we need to know why. I'd run a packet capture on the server and make sure the token is being sent correctly. Wireshark should be able to decode the radius packets if you use the shared secret key.

There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).

If the other server is in a different aaa group, then that configuration shouldn't be relevant. You should see in the 'show aaa-server' output that no auth requests are being sent to that server.

Thanks,

Brendan

ASA server IAS first authentication failed

alexandre.sitbon — Tue, 07 Jun 2011 13:26:58 GMT

It's on the Radius Server Logs that i've seen that the authentication failed. What is the command CLI or in ASDM to see the log RADIUS on the ASA? By the way my RADIUS server is on VMWARE, do you think that might cause a problem? (maybe when you don't share any data for a while, VMWARE does something...)

The idea of Wireshark is good, I'll try that as soon as I can.

Thanks