07-04-2011 05:59 AM - edited 03-11-2019 01:54 PM
hi all!
im trying to configure the user identity feature on my asa and there isnt real debugging document,so hopefully u can help me.
ive configured my ad agent on a server the installion went well and im able to see users from the AD srv.
ive configured the ASA with the ip address of the AD SRV and im able to reach the srv via LDAP,the problem is in the configuration of the connection to the
ad client via radius (my asa is 10.2.16.110 and the ad client is configured on 10.2.16.169),i do have ip connectivty between the two and i can see in the wireshark that ive opened in the server that i do recieve RADIUS sesions from my ASA but according to the ASA debug the server respone is timed out....
im attaching the debug of the asa and some relevant commands from the AD client hopefully someone can tip me..
the asa debug
---------------------
arsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 44 (0x2C)
Radius: Length = 87 (0x0057)
Radius: Vector: A0591EFFCC152A1BB891F6F764CD8293
Radius: Type = 1 (0x01) User-Name
Radius: Length = 3 (0x03)
Radius: Value (String) =
20 |
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 40 (0x28)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 34 (0x22)
Radius: Value (String) =
65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c | entity-attr:cntl
3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65 | :keep-alive=true
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.2.16.110 (0x0A02106E)
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
1b c0 0b 2e 52 7a 56 eb c5 b8 80 93 b9 e5 5b 71 | ....RzV.......[q
send pkt 10.2.16.169/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xce7bce7c session 0x3b id 44
free_rip 0xce7bce7c
radius: send queue empty
the ad client config:
---------------------------------
c:\IBF\CLI>adacfg client list
Name IP/Range
-------- --------------
asa-lab2 10.2.16.110/32
c:\IBF\CLI>adacfg client status
Subscribed-IP Sync-Status
------------- -----------
the asa config
-------------------------
aaa-server AD-agent-16.169 (inside) host 10.2.16.169
retry-interval 4
key *****
radius-common-pw *****
no mschapv2-capable
fredy
07-04-2011 07:57 PM
Hi Fredy,
Please send the output of the following:
sh run aaa
sh run aaa-server
Kindly enable the following debugs
deb aaa authen
deb radius
Kindly run the following command and let me know the results:
test aaa authen
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
07-29-2011 04:07 AM
Same problem here.
@Anisha: You can't run test aaa authen on a AD-Agent server groups:
ciscoasa/pri(config)# test aaa-server authen adagent host x.x.x.x
ERROR: This test is not supported for AD agent server groups.
I'm at a loss here, I can't explain why the AD Agent found the ASA and lists it inside the adacfg client list, but the ASA keeps spamming the logg with %ASA-3-3746005.
debug user-identity ad-agent gives me spamming of KEEPALIVE packets send to the AD-Agent.
08-02-2011 02:26 PM
Having the exact same issue and the firewall is disabled on the DC the adagent is installed on. I can authenticate via LDAP, pull user names and groups and even create acl's with the user names...
however the test aaa-server ad-agent adagent against the DC with the adagent on it fails with
ERROR: Ad-agent Server not responding: No error
and the adacfg client status shows as being blank
09-13-2011 02:04 AM
Wasn't able to fix this yet. Hopefully next week when I'm attending a lab from Cisco I'm able to clear up some things here.
11-10-2011 06:12 AM
Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...
11-10-2011 08:54 AM
Hi all,
Are there any other applications or services on the server that act as a RADIUS server? This is not supported since we cannot change the hard-coded port the AD Agent's RADIUS server listens on.
Do you see the AD Agent listening on UDP/1645 in the output of 'netstat -anb | more' on the Windows command prompt?
If you're still having trouble after this it would be a good idea to open a TAC case and have this investigated.
-Mike
11-10-2011 08:42 PM
Tim Schneider wrote:
Still not working. Tried this on another machine with Windows 2008, still no AD Agent connectivity...
What are you using on the AD server as the radius client?
I've just done a Radius server using the built-in Windows services and it works fine - my ASA config isn't much different to yours.
I basically followed this
document - maybe it'll help you out also.
Cheers.
04-01-2012 11:44 PM
Setup information ASDM 6.4 and ASA 5505 with IOS 8.4.3. Radius server running Windows 2008 R2.
I also received the same error message when I test the Radius server group from ASDM:
ERROR: Ad-agent Server not responding: No error
I have made the following change on my AAA Radius Server Group setting to fix the issue:
configuration > remote access vpn > aaa/local users > aaa server groups
edit radius server group
uncheck enable active directory agent mode
apply and test.
05-19-2012 04:12 AM
May be it's a bug...(Ethernet interface or ASA)
You need to locate the Agent in the DMZ interface
Cheers.
11-27-2012 05:58 AM
Try to disable MSCHAPv2 support on the AAA-server config.
07-11-2013 08:28 PM
Did anyone figure this out yet?
I am having a similar problem:
test aaa-server ad-agent adagent
Server IP Address or name: 10.5.55.36
INFO: Attempting Ad-agent test to IP address <10.5.55.36> (timeout: 12 seconds)
ERROR: Ad-agent Server not responding: No response from server
sh run aaa-server
aaa-server AD protocol ldap
aaa-server AD (inside) host 10.5.55.36
server-port 389
ldap-base-dn DC=tagltd,DC=com
ldap-scope subtree
ldap-login-password *****
ldap-login-dn cn=aduser,cn=Users,dc=tagltd,dc=com
server-type microsoft
aaa-server adagent protocol radius
ad-agent-mode
aaa-server adagent (inside) host 10.5.55.36
key *****
# sh run aaa
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
in the event log of the domain controller, I see:
"the user account domain cannot be accessed"
the server is widnows 2003 and it is not R2. I am using the built-in radius function.
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 77 (0x4D)
Radius: Length = 87 (0x0057)
Radius: Vector: D42E1169F2C9F06E94CCA6183D3BE1CD
Radius: Type = 1 (0x01) User-Name
Radius: Length = 3 (0x03)
Radius: Value (String) =
20 |
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 40 (0x28)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 34 (0x22)
Radius: Value (String) =
65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c | entity-attr:cntl
3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65 | :keep-alive=true
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.5.2.1 (0x0A050201)
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
4c 4f 9b 9d 7f 73 96 37 cc 81 16 d9 d8 61 95 be | LO..s.7.....a..
send pkt 10.5.55.36/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0x00007fffa3e3ead8 session 0x40000634 id 75
free_rip 0x00007fffa3e3ead8
07-12-2013 12:54 AM
'I am using the built-in radius function'
Witch built-in radius function are you using? IAS from Windows 2003?
In that case you the ports 1812 and 1813 are allready taken by the radius services from IAS.
The AD-agent is a small radius server by itself.
This is a common problem with SBS installations.
07-12-2013 06:35 AM
Thanks for your reply!
If there are two domain controllers, would it work if we remove IAS from one of them and configure the AD agent there?
I don't have access to the controllers so I was hoping I could get some feedback before making that recommendation.
07-12-2013 06:42 AM
Yes you can ..
But ... You don't have have to install the AD-Agent on a domain controller! You can install it on any member server.
Cisco has a perfect howto: http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide