Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
4
Replies

ASA server IAS first authentication failed

alexandre.sitbon
Level 1
Level 1

‎06-06-2011 06:42 AM - edited ‎03-11-2019 01:42 PM

Hi everyone,

I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.

I have configured a double authentication for my client to access SSL portal:

  • First authentication: AD server
  • Secondary authentication: IAS for my token SAFENET ALADDIN

The server IAS is declared on a W2K3 and it's standard.

The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.

I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.

Do you have an idea? Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.

Thanks

Labels:
0 Helpful
4 Replies 4

brquinn
Level 1
Level 1

‎06-06-2011 07:57 AM 

The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.

Which authentication is failing? Is it the AD authentication or the Radius w/ security token? Prior to the failure, what is the status of the servers? You can run "show aaa-server" to find out. Also, what is your reactivation-mode set to?

Also, I would check the debugs to see why the authentication is failing. You can also check the logs on the server to see if the server is rejecting the connection. 

Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.

No. You could setup a script to login and use the "test aaa-server authentication" command periodically. But this should not be necessary. I would recommend troubleshooting the root cause rather than trying to mask the problem with workarounds.

Thanks,

Brendan

0 Helpful

alexandre.sitbon
Level 1
Level 1
In response to brquinn

‎06-06-2011 08:21 AM

It's the RADIUS that failed on the first authentication.

My radius and AD servers are in two different aaa-server-group.

My RADIUS server has a reactivation mode: depletion
Dead time: 10 minutes
Timeout: 15s
Retry intervall: 5s


My RADIUS SERVER:

Server port:  1645(authentication), 1646(accounting)
Number of pending requests  0
Average round trip time   1897ms
Number of authentication requests 24
Number of authorization requests 0
Number of accounting requests  0
Number of retransmissions  11
Number of accepts   12
Number of rejects   8
Number of challenges   0
Number of malformed responses  0
Number of bad authenticators  0
Number of timeouts   4
Number of unrecognized responses 0


My AD SERVER:

Server port:  0
Number of pending requests  0
Average round trip time   0ms
Number of authentication requests 1779
Number of authorization requests 0
Number of accounting requests  0
Number of retransmissions  0
Number of accepts   1682
Number of rejects   97
Number of challenges   0
Number of malformed responses  0
Number of bad authenticators  0
Number of timeouts   0
Number of unrecognized responses 0

On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.

There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).

I'll check test aaa-server authentication tomorrow.

THanks

0 Helpful

brquinn
Level 1
Level 1
In response to alexandre.sitbon

‎06-06-2011 09:58 AM 

On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.

Which logs? The ASA logs or the Radius server logs? If the Server is failing the authentication, then we need to know why. I'd run a packet capture on the server and make sure the token is being sent correctly. Wireshark should be able to decode the radius packets if you use the shared secret key.

There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).

If the other server is in a different aaa group, then that configuration shouldn't be relevant. You should see in the 'show aaa-server' output that no auth requests are being sent to that server.

Thanks,

Brendan

0 Helpful

alexandre.sitbon
Level 1
Level 1
In response to brquinn

‎06-07-2011 06:26 AM

It's on the Radius Server Logs that i've seen that the authentication failed. What is the command CLI or in ASDM to see the log RADIUS on the ASA? By the way my RADIUS server is on VMWARE, do you think that might cause a problem? (maybe when you don't share any data for a while, VMWARE does something...)

The idea of Wireshark is good, I'll try that as soon as I can.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card