09-17-2014 12:10 AM - edited 03-11-2019 09:46 PM
Hello, everyone!
Then put the puzzle bosses to make sure that users are logged in using AD and went to the internet.
This configuration on the ASA as follows:
object-group user ACTIVE_ALLOW
user-group DCU\\CASA61_Allow
user DCU\User1
user DCU\User2
access-list inside_access_in_1 extended permit ip object-group-user ACTIVE_ALLOW
192.168.1.0 255.255.255.0 any log debugging
aaa-server ADA protocol radius
ad-agent-mode
interim-accounting-update
reactivation-mode depletion deadtime 1
merge-dacl after-avpair
aaa-server ADA (inside) host dc61-01
key *****
radius-common-pw *****
no mschapv2-capable
aaa-server AD protocol ldap
reactivation-mode depletion deadtime 1
aaa-server AD (inside) host dc61-01
ldap-base-dn dc=DCU,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=CISCOASA61,OU=Users_MC,dc=DCU,dc=local
server-type microsoft
user-identity domain DCU aaa-server AD
user-identity domain DC61-01 aaa-server AD
user-identity default-domain DCU
user-identity action domain-controller-down DCU disable-user-identity-rule
no user-identity action mac-address-mismatch remove-user-ip
no user-identity inactive-user-timer
user-identity logout-probe netbios local-system probe-time minutes 60 retry-interval seconds 5 retry-count 5 match-any
user-identity poll-import-user-group-timer hours 12
user-identity ad-agent active-user-database full-download
user-identity ad-agent aaa-server ADA
user-identity user-not-found enable
At this point, while writing this message here (20 min), 1 time from the Internet thrown out.
Solved! Go to Solution.
09-18-2014 01:30 PM
Hello;
Remove the NetBios Probes and see if the problem goes away.
Mike.
09-18-2014 01:30 PM
Hello;
Remove the NetBios Probes and see if the problem goes away.
Mike.
09-25-2014 02:24 AM
I remove NetBios Probes but problem not solved.
At the moment, did such a configuration:
user-identity domain DOMAIN aaa-server AD
user-identity default-domain DOMAIN
user-identity action domain-controller-down DOMAIN disable-user-identity-rule
user-identity inactive-user-timer minutes 100
user-identity logout-probe netbios local-system probe-time minutes 60
retry-interval seconds 10 retry-count 10 user-not-needed
user-identity poll-import-user-group-timer hours 12
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 15
user-identity ad-agent aaa-server ADA
The essence of the problem is that after login user of the Internet falls off after a certain time. That is, the user logged on the computer, and then open the browser, opened a couple of sites, closed the browser, and then passed on 15 and 20 minutes of idle time, or immediately after the close of active Internet sessions, and then Internet becomes unavailable. Internet appears when the user re-re-login to the computer.
Need to do so accurately determined when the user is alive, and even if he does not use the Internet, just log in and does not conduct active network sessions, and then when he wanted to get online, or start any other Internet or network session , it would be accessible to the Internet without re authorization.
If completely disable logout-probe netbios and inactive-user-timer, then generally becomes unavailable online. Also, if you put the parameter Match-Any Internet connection is interrupted, too, so put option user-not-needed.
What do I need to do to correct Identity Firewall work? And not bouncers users?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide