Hi,Can you try the following

weichenyang · ‎05-22-2014

configure identity policies to require active authentication,but no login form display, why?

1Define realm which contain one AD

2Define identity policy

3Define identity policy object

4Define access policy,specify Identity policy objects as part of the source field

5Enable Auth proxy in ASA service policy

thanks

Marvin Rhoads · ‎05-22-2014

Does your AD server status in CDA show up as good (green check box)?

Does your AD Agent connection in PRSM test successful (Device > AD Agent > Test)?

Back at CDA, does PRSM show up as a registered device?

Is CDA mapping users to IP addresses when they authenticate to AD?

If all that is working, please share your configured service-policy and related objects on the ASA as well as your access policy from PRSM.

weichenyang · ‎05-22-2014

Marvin,thanks

i use Active Authentication,no agent is required.

radu.ioncu · ‎05-25-2014

Hi,

The config seems ok. What is the exact behaviour? Does the requested web page load without any authentication or do you receive an error?

weichenyang · ‎05-25-2014

thanks radu

no AD login windwos show

the requested web page does not load

the url bar just show:http://192.168.10.1:1025/?redirect_id=63a01419d3d6e2799da3d8279428bba2fa176c47

radu.ioncu · ‎05-25-2014

Hi,

Can you try the following command on the ASA following an authentication attempt? Also, can you issue a "show run policy-map", "show run service-policy" and "show nameif" command?

/pri/act# show asp table classify domain cxsc-auth-proxy hits

Input Table
in id=0x7fff2b967190, priority=121, domain=cxsc-auth-proxy, deny=false
hits=55144, user_data=0x7fff2b966e80, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.237.4.1, mask=255.255.255.255, port=885, tag=0, dscp=0x0
input_ifc=lanwsp, output_ifc=identity
in id=0x7fff2b96e760, priority=121, domain=cxsc-auth-proxy, deny=false
hits=33077, user_data=0x7fff2b96e450, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.237.8.1, mask=255.255.255.255, port=885, tag=0, dscp=0x0

weichenyang · ‎05-26-2014

Firewall(config)# show run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

policy-map cx-policy

class class-default

inspect icmp

user-statistics accounting

cxsc fail-open auth-proxy

!

Firewall(config)# show run service-policy

service-policy cx-policy global

Firewall(config)# show nameif

Interface Name Security

GigabitEthernet0/0 Outside 0

GigabitEthernet0/1 Inside 100

GigabitEthernet0/2 DMZ 50

Management0/0 management 100

Firewall(config)# show asp table classify domain cxsc-auth-proxy hits

Input Table

in id=0x7fffa02644b0, priority=121, domain=cxsc-auth-proxy, deny=false

hits=70, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=external ip address , mask=255.255.255.255, port=1025, tag=0, dscp=0x0

input_ifc=Outside, output_ifc=identity

in id=0x7fffa38e9bb0, priority=121, domain=cxsc-auth-proxy, deny=false

hits=285473, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=192.168.10.1, mask=255.255.255.255, port=1025, tag=0, dscp=0x0

input_ifc=Inside, output_ifc=identity

in id=0x7fff9fdc0eb0, priority=121, domain=cxsc-auth-proxy, deny=false

hits=24, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=192.168.100.1, mask=255.255.255.255, port=1025, tag=0, dscp=0x0

input_ifc=DMZ, output_ifc=identity

Output Table:

L2 - Output Table:

L2 - Input Table:

Last clearing of hits counters: Never

ASA CX active authentication