Re: User-identity inactivity

noc-cville · ‎05-03-2013

I am in the testing phase of configuring my ASA for user-identity. I have ldap setup and working along with the ad-agent. I can create and successfully use policies based upon user-id logon etc. My problem is the firewall user database marks me as inactive very quickly, if I leave the pc idle for 10 mins or so. The only way to gain access again is by logging off the computer and logging back on. I have turned off the inactivity check box in the asa configuration. Are there any other timers that could be affecting this? I can't go to production with the unreliability of this. When I turn on debugging for the AD agent in the firewall I get this message....

idfw_proc[0]: [ADAGENT] send QUERY(10.30.196.10/1) to 10.11.1.203

idfw_proc[0]: [ADAGENT] query 10.30.196.10 failed: RADIUS_REJECT (22)

idfw_proc[0]: [ADAGENT] send QUERY(10.30.196.10/1) to 10.11.1.203

idfw_proc[0]: [ADAGENT] query 10.30.196.10 failed: RADIUS_REJECT (22)

Jatin Katyal · ‎05-03-2013

How did you monitor the active/inactive time window?

Are you using this command?

show user-identity user inactive

As per my reading, To expire the user identity of IP addresses, by default the ASA removes the user identity from an IP address if there is no activity from the IP address for 60 minutes based on the following configuration:

user-identity inactive-user-timer minutes 60

Note: Inactivity timeout will only remove user-ip from ASA, and ASA will not notify AD agent about it.

Jatin Katyal

- Do rate helpful posts -

~Jatin

noc-cville · ‎05-03-2013

I have been monitoring it through the ASDM. I disabled the inactive timer under the identity options in the ASDM. The test user if idle for about 15 mins gets listed in the ASDM as inactive.

nacmarketing · ‎05-06-2013

Hi Mark,

I am experiencing the same issue. I noticed that I only experience the issue on my workstation and not when I'm logged onto some other workstation. Further investigation led me to find out that the problem only exists on my workstation when I have Outlook opened, which is connected to an Exchange account. If Outlook is closed there is no problem.

Take a look at the output that I get when I run these commands immediately after locking and unlocking my PC, while Outlook is running. Note that I did change the output to use generic names and IP addresses.

# sh user-identity ip-of-user DOMAINNAME\Username

DOMAINNAME\192.168.1.1 (Login)

# sh user-identity user-of-ip 192.168.1.1

DOMAINNAME\Username (Login)

Around 10-15 minutes later, I am no longer active because my username changes to my email address.

# sh user-identity ip-of-user DOMAINNAME\Username

DOMAINNAME\192.168.1.1 (Inactive)

# sh user-identity user-of-ip 192.168.1.1

DOMAINNAME\Username@myemaildomain.com (Login)

I'm curious to know if this is the same cause of your problem.

If anyone has ideas on how to prevent the username change in this case please let me know.

Regards,

Jason

noc-cville · ‎05-08-2013

I looked into what you are seeing. I don't get the same results. After about ten minutes I just get listed as inactive. If I do sh user-identity user-of-ip 10.30.196.10 . I just get Error" no user with this ip address.

nacmarketing · ‎05-08-2013

In ASDM in the Identity Options section, is the option "Remove User IP When User's MAC Address Is Inconsistent" enabled? If so try disabling it. I had to disable it since some users including myself are logged onto multiple PCs at the same time, and that was causing us to get logged out.

-Jason

Jatin Katyal · ‎05-06-2013

Mark,

What is the OS we have running on ad-agent server?

I am unsure if you've set Time duration on adagent after which logged-in user is marked as being logged-out during the installation.

adacfg options set -userLogonTTL 3600

http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_cmd_ref.html#wp1149291

Jatin Katyal

- Do rate helpful posts -

~Jatin

msonnie · ‎05-08-2013

I agree with Jatin on his conclusion regarding the USER Logon timer. Please do check that and do revert.

HTH.