cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2604
Views
0
Helpful
7
Replies

User-identity inactivity

noc-cville
Level 1
Level 1

I am in the testing phase of configuring my ASA for user-identity.  I have ldap setup and working along with the ad-agent.  I can create and successfully use policies based upon user-id logon etc.  My problem is the firewall user database marks me as inactive very quickly, if I leave the pc idle for 10 mins or so.  The only way to gain access again is by logging off the computer and logging back on.  I have turned off the inactivity check box in the asa configuration.  Are there any other timers that could be affecting this?  I can't go to production with the unreliability of this.  When I turn on debugging for the AD agent in the firewall I get this message....

idfw_proc[0]: [ADAGENT] send QUERY(10.30.196.10/1) to 10.11.1.203

idfw_proc[0]: [ADAGENT] query 10.30.196.10 failed: RADIUS_REJECT (22)

                  

idfw_proc[0]: [ADAGENT] send QUERY(10.30.196.10/1) to 10.11.1.203

idfw_proc[0]: [ADAGENT] query 10.30.196.10 failed: RADIUS_REJECT (22)

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

How did you monitor the active/inactive time window?

Are you using this command?

show user-identity user inactive

As per my reading, To expire the user identity of IP addresses, by default the ASA removes the user identity from an IP address if there is no activity from the IP address for 60 minutes based on the following configuration:

user-identity inactive-user-timer minutes 60

Note: Inactivity timeout will only remove user-ip from ASA, and ASA will not notify AD agent about it.

Jatin Katyal


- Do rate helpful posts -

~Jatin

I have been monitoring it through the ASDM.  I disabled the inactive timer under the identity options in the ASDM.  The test user if idle for about 15 mins gets listed in the ASDM as inactive.

Hi Mark,

I am experiencing the same issue. I noticed that I only experience the issue on my workstation and not when I'm logged onto some other workstation. Further investigation led me to find out that the problem only exists on my workstation when I have Outlook opened, which is connected to an Exchange account. If Outlook is closed there is no problem.

Take a look at the output that I get when I run these commands immediately after locking and unlocking my PC, while Outlook is running. Note that I did change the output to use generic names and IP addresses.

     # sh user-identity ip-of-user DOMAINNAME\Username

     DOMAINNAME\192.168.1.1 (Login)

     # sh user-identity user-of-ip 192.168.1.1

     DOMAINNAME\Username (Login)

Around 10-15 minutes later, I am no longer active because my username changes to my email address.

     # sh user-identity ip-of-user DOMAINNAME\Username

     DOMAINNAME\192.168.1.1 (Inactive)

     # sh user-identity user-of-ip 192.168.1.1

     DOMAINNAME\Username@myemaildomain.com (Login)

I'm curious to know if this is the same cause of your problem.

If anyone has ideas on how to prevent the username change in this case please let me know.

Regards,


Jason

I looked into what you are seeing.  I don't get the same results.  After about ten minutes I just get listed as inactive.  If I do sh user-identity user-of-ip 10.30.196.10 . I just get Error" no user with this ip address.

In ASDM in the Identity Options section, is the option "Remove User IP When User's MAC Address Is Inconsistent" enabled? If so try disabling it. I had to disable it since some users including myself are logged onto multiple PCs at the same time, and that was causing us to get logged out.

-Jason

Mark,

What is the OS we have running on ad-agent server?

I am unsure if you've set Time duration on adagent after which logged-in user is marked as being logged-out  during the installation.

adacfg options set -userLogonTTL 3600

http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_cmd_ref.html#wp1149291

Jatin Katyal

- Do rate helpful posts -

~Jatin

msonnie
Level 1
Level 1

I agree with Jatin on his conclusion regarding the USER Logon timer. Please do check that and do revert.

HTH.