Re: Authentication servers w/VPN 3000

rshomo · ‎11-21-2002

General question around authentication servers supported with VPN 3000 family. Is it always assumed that the authentication server resides on the private LAN side of VPN? For example, if I have a multi-site setup where the Authentication server is remote (Site A - different subnet) and then a second site - Site B (where VPN front-ends access) and then a remote user needs to access Site B but authenticate at Site A. Is this possible with VPN 3000. This is based only my experience with SDI method, does RADIUS also need to be on private LAN of VPN? Are there general design documents which detail supported configs w/authentication servers?

THX

kdurrett · ‎11-21-2002

As long as your 3000 can ping your authentication server, in your example if site B 3000, your good. Now if its located on the public side of that 3000 on site B, then you will have to adjust your public filter to allow that request to hit that auth server on public side. If the auth server for site B is across the L2L tunnel to Site A, then you shouldn't have a problem. Here's a sample but this does aussume that the auth server is local http://www.cisco.com/warp/public/471/nt.html

and

http://www.cisco.com/warp/public/471/sdi.html

Now whats best practice. If for some reason that site A goes down this will unfortunately bring down site B because it can no longer authenticate or reach that server. You should have a server locally, but it can be on private or public side.

Kurtis Durrett

rshomo · ‎11-21-2002

THX-

As far as problem w/Site A failure this could be replicated (assuming network doesn't fail). I'm using IPSec tunnels w/encryption, but what protects authentication requests Site B -> Site A (In the case of SDI, it appears to be just DES between VPN and SDI Server)? I was unable to get communication to work over public network even when I made rules "Any In" and "Any Out" (like private default). It appeared that the SDI agent on VPN is programmed to send authentication requests only over private network? (Could this be true?) I was able to "ping" auth server on public but continually recvd a Error 23 when trying to authenticate. I'll look at referenced docs also.

Rob

kdurrett · ‎11-21-2002

"It appeared that the SDI agent on VPN is programmed to send authentication requests only over private network? (Could this be true?)". I've never heard of that before as im pretty sure it dont matter where the server is located, I know i've had it working with RADIUS through any interface, whether public/private. The 3000 is considered a client of the SDI server, so when you first make your request you should get sent a SECURID file. Im pretty sure that the SDI server see's the interface's ip address that requested it and will then only allow that IP address to make a request as a client. So if site B is authenticating your clients to the SDI server in site A, do you have a SECURID file on your concentrator? Administration > File Management > Files. Try turning on debugs on site B, auth, auth degug from lvl 1-9 should suffice. Check your SDI logs as well. BTW, are you using SDI or are you using RADIUS?

rshomo · ‎11-21-2002

I'm using SDI (ACE/Server 5.0.1) Originally I had it setup using pubic interface. I've reviewed all logs (Concentrator (levels1-10) Client and SDI server) to no avail. It kept getting error 23 on Concentrator. As soon as I setup SDI server on private LAN as well as IP address in Concentrator everything worked per documents (BTW - The doc you referred me too is what I used, but the RSA Implementation Guide is more informative). A Cisco Engineer visited my site and said he believed it would only work on the Private LAN unless a way of changing public filters could be defined. Looking at rules listed which could be applied I don't see a match. But when I had set it to "Any In, Any Out" it didn't make a difference (I.e., Concentrator would never be able to contact SDI server even though "ping" succeeded in both directions). I had posted error logs etc in this forum in an earlier inquiry. This is why I'm posing these questions to try to see if there's some assumptions that I'm missing.

The Cisco doc "Configuring VPN Client w/SDI" actually depicts a configuration which is basically what I'd setup but it never was successful in authenticating.

kdurrett · ‎11-22-2002

The SDI server is located on the remote 3000's internal lan correct? Have you changed the filters on that concentrator as well?

Kurtis Durrett

rshomo · ‎11-22-2002

Currently yes the SDI is on private LAN. I'm using the default filters (public+private) and everything works fine. When I tested with SDI server on public LAN, I used the "Any In, Any Out" filter on public, but it did not change error recvd. Do you know which filters specifically would need to be added if you want the SDI traffic to go across public interface? Again I ask the question though that since this process is establishing tunnel between client and VPN how does VPN communicate over public LAN w/SDI server (I.e., security)?

kdurrett · ‎11-22-2002

Any in/any out should allow it. Did you remove all the other rules? Why not just change it to private filter on the public interface, dont need to make any changes then. I'm still thinking that because you can ping it, which is a default rule for the public filter, that this might be a filter issue but not sure. There is a event class in debugging for filter that might help if you turn that on. Your second question, i'd have to look for some infomation on that one or maybe someone else. Aamir? Come on little buddy. I think its through ssl, but thats a guess.

rshomo · ‎11-22-2002

I guess I'm a bit suprised that the Cisco documentation doesn't cover this. I had removed all rules. I'll go back to setup on public LAN and check out and try a couple more things as you suggested. Thanks for feedback.

rshomo · ‎11-22-2002

Well I re-set SDI Server on public network and changed public interface filter to Any In, Any Out. The SDI server log never sees the request. The Concentrator log shows the following (IP Address is replaced with ): I even changed the default action for filter to be "forward and log" to no avail. The key error is: "Unexpected SDI status value: 23" although I can ping the SDI server from concentrator. Any other thoughts?

1 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/1 RPT=8

AUTH_Open() returns 7

2 11/22/2002 15:28:48.420 SEV=7 AUTH/12 RPT=8

Authentication session opened: handle = 7

3 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/3 RPT=12

AUTH_PutAttrTable(7, 8dad84)

4 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/5 RPT=6

AUTH_Authenticate(7, 8f09b0, 6bb224)

5 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/59 RPT=12

AUTH_BindServer(1e26910, 0, 0)

6 11/22/2002 15:28:48.420 SEV=9 AUTHDBG/69 RPT=12

Auth Server e40af4 has been bound to ACB 1e26910, sessions = 1

7 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/65 RPT=12

AUTH_CreateTimer(1e26910, 0, 0)

8 11/22/2002 15:28:48.420 SEV=9 AUTHDBG/72 RPT=12

Reply timer created: handle = 3B0015

'q' to Quit, '' to Continue ->

9 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/179 RPT=12

AUTH_SyncToServer(1e26910, 0, 0)

10 11/22/2002 15:28:48.420 SEV=8 AUTHDBG/177 RPT=4

Sdi_init(1e26910)

11 11/22/2002 15:28:48.420 SEV=9 AUTHDBG/168 RPT=6

Ace Agent building time request pkt ...

12 11/22/2002 15:28:48.420 SEV=5 AUTH/63 RPT=7

No usable servers found, using default (idx: 0)

13 11/22/2002 15:28:48.420 SEV=5 AUTH/62 RPT=6

Load balancing retrying another server ...

14 11/22/2002 15:28:48.420 SEV=9 AUTHDBG/174 RPT=11

Ace Agent transmitting to server

15 11/22/2002 15:28:48.430 SEV=9 AUTHDBG/173 RPT=3

Ace Agent: load balancing initiating auto detection to server

16 11/22/2002 15:28:48.430 SEV=9 AUTHDBG/168 RPT=7

'q' to Quit, '' to Continue ->

Ace Agent building time request pkt ...

17 11/22/2002 15:28:48.430 SEV=9 AUTHDBG/174 RPT=12

Ace Agent transmitting to server

18 11/22/2002 15:28:52.350 SEV=5 AUTH/63 RPT=8

No usable servers found, using default (idx: 0)

19 11/22/2002 15:28:52.350 SEV=5 AUTH/62 RPT=7

Load balancing retrying another server ...

20 11/22/2002 15:28:52.350 SEV=9 AUTHDBG/175 RPT=6

Retransmitting pkt to server , priority 0, idx 0

21 11/22/2002 15:28:52.350 SEV=9 AUTHDBG/174 RPT=13

Ace Agent transmitting to server

22 11/22/2002 15:28:52.350 SEV=9 AUTHDBG/175 RPT=7

Retransmitting pkt to server , priority 0, idx 0

23 11/22/2002 15:28:52.350 SEV=9 AUTHDBG/174 RPT=14

Ace Agent transmitting to server

'q' to Quit, '' to Continue ->

24 11/22/2002 15:28:56.350 SEV=5 AUTH/78 RPT=4

Suspending server , idx 0, priority 0

25 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/180 RPT=12

AUTH_SendLockReq(1e26910, 0, 0)

26 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/178 RPT=4

Sdi_lock(1e26910)

27 11/22/2002 15:28:56.350 SEV=5 AUTH/44 RPT=4

Unexpected SDI status value: 23

28 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/57 RPT=4

AUTH_Error(1e26910, 0, 0)

29 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/66 RPT=12

AUTH_DeleteTimer(1e26910, 0, 0)

30 11/22/2002 15:28:56.350 SEV=9 AUTHDBG/74 RPT=12

Reply timer stopped: handle = 3B0015, timestamp = 330187

31 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/58 RPT=12

AUTH_Callback(1e26910, 0, 0)

'q' to Quit, '' to Continue ->

32 11/22/2002 15:28:56.350 SEV=4 AUTH/9 RPT=4

Authentication failed: Reason = Network error

handle = 7, server = , user = sditest

34 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/2 RPT=8

AUTH_Close(7)

35 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/60 RPT=12

AUTH_UnbindServer(1e26910, 0, 0)

36 11/22/2002 15:28:56.350 SEV=9 AUTHDBG/70 RPT=12

Auth Server e40af4 has been unbound from ACB 1e26910, sessions = 0

37 11/22/2002 15:28:56.350 SEV=8 AUTHDBG/10 RPT=8

AUTH_Int_FreeAuthCB(1e26910)

38 11/22/2002 15:28:56.350 SEV=7 AUTH/13 RPT=8

Authentication session closed: handle = 7