Direct Authentication Problem (Might be SSL related)

mitchell helton · ‎11-17-2015

*SOLVED*

-After upgrading from 8.4(3) to 8.4(7)23 it started working. There must have been a bug with the version of code we were running.

Hey folks!

I'm trying to do direct authentication on a 5510 and running into some problems. It works in another area of our network with a 5505, and I have a suspicion it's SSL related, but I'm not sure. I'm hoping you experts can shed some light on this. :)

When I try to authenticate against the ASA to start the direct authentication process, I get presented with a certificate warning (expected), but when I tell it to proceed, it just keeps "spinning" and doesn't give me the login prompt - never returns a timeout or anything. Here is the relevent config:

aaa authentication listener https UNTRUSTED port 3456 redirect

aaa authentication match DIRECT_AUTH_UNTRUSTED UNTRUSTED MY-RADIUS

access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET any object-group HTTP_HTTPS_TCP
access-list DIRECT_AUTH_UNTRUSTED extended permit udp object-group UNTRUSTED_SUBNET object-group GOOGLE_DNS eq domain
access-list DIRECT_AUTH_UNTRUSTED extended permit tcp object-group UNTRUSTED_SUBNET host 10.0.240.1 eq 3456

Here is the output of show logg. 10.0.240.65 is the interface that is listening for direct authentication attempts and .66 is the client machine trying to get access:

HQ-FW1# show logg | inc 10.0.240.65
Nov 17 2015 16:54:17: %ASA-6-302014: Teardown TCP connection 6478 for LIMITED_ACCESS:10.0.240.66/6628 to identity:10.0.240.65/3456 duration 0:57:11 bytes 902 TCP Reset-I
Nov 17 2015 16:54:21: %ASA-6-302013: Built inbound TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 (10.0.240.66/7211) to identity:10.0.240.65/3456 (10.0.240.65/3456)
Nov 17 2015 16:54:21: %ASA-6-302014: Teardown TCP connection 6890 for LIMITED_ACCESS:10.0.240.66/7211 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I
Nov 17 2015 16:54:23: %ASA-6-302015: Built inbound UDP connection 6891 for LIMITED_ACCESS:10.0.240.66/68 (10.0.240.66/68) to identity:10.0.240.65/67 (10.0.240.65/67)
Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 (10.0.240.66/7216) to identity:10.0.240.65/3456 (10.0.240.65/3456)
Nov 17 2015 16:54:25: %ASA-6-302014: Teardown TCP connection 6893 for LIMITED_ACCESS:10.0.240.66/7216 to identity:10.0.240.65/3456 duration 0:00:00 bytes 843 TCP Reset-I
Nov 17 2015 16:54:25: %ASA-6-302013: Built inbound TCP connection 6894 for LIMITED_ACCESS:10.0.240.66/7217 (10.0.240.66/7217) to identity:10.0.240.65/3456 (10.0.240.65/3456)

Here is the output of show asp table socket:

HQ-FW1# show asp table sock

Protocol Socket Local Address Foreign Address State
SSL 0000869f 10.0.240.1:3456 0.0.0.0:* LISTEN
SSL 0001208f 10.0.240.65:3456 0.0.0.0:* LISTEN
SSL 0002087f 10.0.55.10:443 0.0.0.0:* LISTEN
SSL 0002b97f 10.255.255.22:443 0.0.0.0:* LISTEN
TCP 000309ef 10.0.55.10:22 0.0.0.0:* LISTEN
TCP 0003f62f 10.255.255.22:22 0.0.0.0:* LISTEN
SSL 000ded8f 10.0.240.249:3456 0.0.0.0:* LISTEN
TCP 001a78f8 10.255.255.22:22 10.1.250.243:53275 ESTAB

For what it's worth, accessing the GUI over 443 works perfectly fine. I"m not sure what other show or debug commands would be useful, but please let me know and I can provide them.

Thanks!!!

mitch

nspasov · ‎11-21-2015

Good job on solving your own problem and also thank you for taking the time to come back and post the solution here!!

Since your issue is resolved, you should mark the thread as "answered" :)

mitchell helton · ‎11-23-2015

Believe it or not, I tried to do that but couldn't figure out how. How can I mark this as resolved? :)

nspasov · ‎11-23-2015

Hmm, I can't rate your your initial comment either...(+5) on your second comment. It has been a while since I have posted so it looks like some things have changed. Perhaps, a Security VIP can do that for us?