cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8916
Views
0
Helpful
14
Replies

ASA-active directory agent problem

fredy.maizelev
Level 1
Level 1

hi all!

im trying to configure the  user identity feature on my asa and there isnt real debugging document,so hopefully u can help me.

ive configured my ad agent on a server the installion went well and im able to see users from the AD srv.

ive configured the ASA with the ip address of the AD SRV and im able to reach the srv via LDAP,the problem is in the configuration of the connection to the   

ad client via radius (my asa is 10.2.16.110 and the ad client is configured on 10.2.16.169),i do have ip connectivty between the two and i can see in the wireshark that ive opened in the server that i do recieve RADIUS sesions from my ASA but according to the ASA debug the server respone is timed out....

im attaching the debug of the asa and some relevant commands from the AD client hopefully someone can tip me..

the asa debug

---------------------

arsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 44 (0x2C)

Radius: Length = 87 (0x0057)

Radius: Vector: A0591EFFCC152A1BB891F6F764CD8293

Radius: Type = 1 (0x01) User-Name

Radius: Length = 3 (0x03)

Radius: Value (String) =

20                                                 |  

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c    |  entity-attr:cntl

3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65    |  :keep-alive=true

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.2.16.110 (0x0A02106E)

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) =

1b c0 0b 2e 52 7a 56 eb c5 b8 80 93 b9 e5 5b 71    |  ....RzV.......[q

send pkt 10.2.16.169/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xce7bce7c session 0x3b id 44

free_rip 0xce7bce7c

radius: send queue empty

the ad client config:

---------------------------------

c:\IBF\CLI>adacfg client list

Name     IP/Range

-------- --------------

asa-lab2 10.2.16.110/32

c:\IBF\CLI>adacfg client status

Subscribed-IP Sync-Status

------------- -----------

the asa config

-------------------------

aaa-server AD-agent-16.169 (inside) host 10.2.16.169

retry-interval 4

key *****

radius-common-pw *****

no mschapv2-capable

fredy

14 Replies 14

andamani
Cisco Employee
Cisco Employee

Hi Fredy,

Please send the output of the following:

sh run aaa

sh run aaa-server

Kindly enable the following debugs

deb aaa authen

deb radius

Kindly run the following command and let me know the results:

test aaa authen host

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Tim Schneider
Level 1
Level 1

Same problem here.

@Anisha: You can't run test aaa authen on a AD-Agent server groups:

ciscoasa/pri(config)# test aaa-server authen adagent host x.x.x.x

ERROR: This test is not supported for AD agent server groups.

I'm at a loss here, I can't explain why the AD Agent found the ASA and lists it inside the adacfg client list, but the ASA keeps spamming the logg with %ASA-3-3746005.

debug user-identity ad-agent gives me spamming of KEEPALIVE packets send to the AD-Agent.

nathanfink
Level 1
Level 1

Having the exact same issue and the firewall is disabled on the DC the adagent is installed on. I can authenticate via LDAP, pull user names and groups and even create acl's with the user names...

however the test aaa-server ad-agent adagent against the DC with the adagent on it fails  with

ERROR: Ad-agent Server not responding: No error

and the adacfg client status shows as being blank

Tim Schneider
Level 1
Level 1

Wasn't able to fix this yet. Hopefully next week when I'm attending a lab from Cisco I'm able to clear up some things here.

Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...

Hi all,

Are there any other applications or services on the server that act as a RADIUS server? This is not supported since we cannot change the hard-coded port the AD Agent's RADIUS server listens on.

Do you see the AD Agent listening on UDP/1645 in the output of 'netstat -anb | more' on the Windows command prompt?

If you're still having trouble after this it would be a good idea to open a TAC case and have this investigated.

-Mike

Tim Schneider wrote:

Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...

What are you using on the AD server as the radius client?

I've just done a Radius server using the built-in Windows services and it works fine - my ASA config isn't much different to yours.

I basically followed this

http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

document - maybe it'll help you out also.

Cheers.

Setup information ASDM 6.4 and ASA 5505 with IOS 8.4.3.  Radius server running Windows 2008 R2.

I also received the same error message when I test the Radius server group from ASDM:

ERROR: Ad-agent Server not responding: No error

I have made the following change on my AAA Radius Server Group setting to fix the issue:

configuration > remote access vpn > aaa/local users > aaa server groups

edit radius server group

uncheck enable active directory agent mode

apply and test.

libriskz
Level 1
Level 1

May be it's a bug...(Ethernet interface or ASA)

You need to locate the Agent in the DMZ interface

Cheers.

hvdhelm
Level 1
Level 1

Try to disable MSCHAPv2 support on the AAA-server config.

Did anyone figure this out yet?

I am having a similar problem:

test aaa-server ad-agent adagent

Server IP Address or name: 10.5.55.36

INFO: Attempting Ad-agent test to IP address <10.5.55.36> (timeout: 12 seconds)

ERROR: Ad-agent Server not responding: No response from server

sh run aaa-server

aaa-server AD protocol ldap

aaa-server AD (inside) host 10.5.55.36

server-port 389

ldap-base-dn DC=tagltd,DC=com

ldap-scope subtree

ldap-login-password *****

ldap-login-dn cn=aduser,cn=Users,dc=tagltd,dc=com

server-type microsoft

aaa-server adagent protocol radius

ad-agent-mode

aaa-server adagent (inside) host 10.5.55.36

key *****

# sh run aaa

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

in the event log of the domain controller, I see:

"the user account domain cannot be accessed"

the server is widnows 2003 and it is not R2. I am using the built-in radius function.

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 77 (0x4D)

Radius: Length = 87 (0x0057)

Radius: Vector: D42E1169F2C9F06E94CCA6183D3BE1CD

Radius: Type = 1 (0x01) User-Name

Radius: Length = 3 (0x03)

Radius: Value (String) =

20                                                 |  

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c    |  entity-attr:cntl

3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65    |  :keep-alive=true

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.5.2.1 (0x0A050201)

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) =

4c 4f 9b 9d 7f 73 96 37 cc 81 16 d9 d8 61 95 be    |  LO..s.7.....a..

send pkt 10.5.55.36/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0x00007fffa3e3ead8 session 0x40000634 id 75

free_rip 0x00007fffa3e3ead8

'I am using the built-in radius function'

Witch built-in radius function are you using? IAS from Windows 2003?

In that case you the ports 1812 and 1813 are allready taken by the radius services from IAS.

The AD-agent is a small radius server by itself.

This is a common problem with SBS installations.

Thanks for your reply!

If there are two domain controllers, would it work if we remove IAS from one of them and configure the AD agent there?

I don't have access to the controllers so I was hoping I could get some feedback before making that recommendation.

Yes you can ..

But ... You don't have have to install the AD-Agent on a domain controller! You can install it on any member server.

Cisco has a perfect howto: http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: