06-06-2011 06:42 AM - edited 03-11-2019 01:42 PM
Hi everyone,
I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.
I have configured a double authentication for my client to access SSL portal:
The server IAS is declared on a W2K3 and it's standard.
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.
Do you have an idea? Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.
Thanks
06-06-2011 07:57 AM
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
Which authentication is failing? Is it the AD authentication or the Radius w/ security token? Prior to the failure, what is the status of the servers? You can run "show aaa-server" to find out. Also, what is your reactivation-mode set to?
Also, I would check the debugs to see why the authentication is failing. You can also check the logs on the server to see if the server is rejecting the connection.
Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.
No. You could setup a script to login and use the "test aaa-server authentication" command periodically. But this should not be necessary. I would recommend troubleshooting the root cause rather than trying to mask the problem with workarounds.
Thanks,
Brendan
06-06-2011 08:21 AM
It's the RADIUS that failed on the first authentication.
My radius and AD servers are in two different aaa-server-group.
My RADIUS server has a reactivation mode: depletion
Dead time: 10 minutes
Timeout: 15s
Retry intervall: 5s
My RADIUS SERVER:
Server port: 1645(authentication), 1646(accounting)
Number of pending requests 0
Average round trip time 1897ms
Number of authentication requests 24
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 11
Number of accepts 12
Number of rejects 8
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 4
Number of unrecognized responses 0
My AD SERVER:
Server port: 0
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 1779
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1682
Number of rejects 97
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.
There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).
I'll check test aaa-server authentication tomorrow.
THanks
06-06-2011 09:58 AM
On the logs it's the same message as authentication failed. It does the same thing when a bad password is inserted.
Which logs? The ASA logs or the Radius server logs? If the Server is failing the authentication, then we need to know why. I'd run a packet capture on the server and make sure the token is being sent correctly. Wireshark should be able to decode the radius packets if you use the shared secret key.
There is another RADIUS SERVER in an another group that uses the same port 1645(authentication), 1646(accounting), can it causes problem? (this server is not used).
If the other server is in a different aaa group, then that configuration shouldn't be relevant. You should see in the 'show aaa-server' output that no auth requests are being sent to that server.
Thanks,
Brendan
06-07-2011 06:26 AM
It's on the Radius Server Logs that i've seen that the authentication failed. What is the command CLI or in ASDM to see the log RADIUS on the ASA? By the way my RADIUS server is on VMWARE, do you think that might cause a problem? (maybe when you don't share any data for a while, VMWARE does something...)
The idea of Wireshark is good, I'll try that as soon as I can.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide