Solved: Cisco ASA5505. Unavailable the web-services through Identity firewall

AnReykfi2 · ‎09-17-2014

Hello, everyone!

Then put the puzzle bosses to make sure that users are logged in using AD and went to the internet.

Given Cisco ASA 5505. On the domain controller should AD agent (which is saying dc - up and client - up), ASA quietly takes user logins.

IP-addresses on the network are distributed by DHCP, which is raised on a domain controller.

The essence of the problem is that after the user authentication online falls off after a certain time. That is, the user logged on the computer, and then open the browser, opened a couple of sites, then passed from the 5 and 7 minutes of inactivity and then Internet is not available. Internet appears when the user relogin to the computer, or at some time turn off "Network LAN connection" for 1 minute. You can not have to dig?

This configuration on the ASA as follows:

object-group user ACTIVE_ALLOW user-group DCU\\CASA61_Allow user DCU\User1 user DCU\User2

access-list inside_access_in_1 extended permit ip object-group-user ACTIVE_ALLOW 192.168.1.0 255.255.255.0 any log debugging

aaa-server ADA protocol radius ad-agent-mode interim-accounting-update reactivation-mode depletion deadtime 1 merge-dacl after-avpair aaa-server ADA (inside) host dc61-01 key ***** radius-common-pw ***** no mschapv2-capable aaa-server AD protocol ldap reactivation-mode depletion deadtime 1 aaa-server AD (inside) host dc61-01 ldap-base-dn dc=DCU,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=CISCOASA61,OU=Users_MC,dc=DCU,dc=local server-type microsoft user-identity domain DCU aaa-server AD user-identity domain DC61-01 aaa-server AD user-identity default-domain DCU user-identity action domain-controller-down DCU disable-user-identity-rule no user-identity action mac-address-mismatch remove-user-ip no user-identity inactive-user-timer user-identity logout-probe netbios local-system probe-time minutes 60 retry-interval seconds 5 retry-count 5 match-any user-identity poll-import-user-group-timer hours 12 user-identity ad-agent active-user-database full-download user-identity ad-agent aaa-server ADA user-identity user-not-found enable

At this point, while writing this message here (20 min), 1 time from the Internet thrown out.

Maykol Rojas · ‎09-18-2014

Hello;

Remove the NetBios Probes and see if the problem goes away.

Mike.

Mike

View solution in original post

Maykol Rojas · ‎09-18-2014

Hello;

Remove the NetBios Probes and see if the problem goes away.

Mike.

Mike

AnReykfi2 · ‎09-25-2014

I remove NetBios Probes but problem not solved.

At the moment, did such a configuration:

user-identity domain DOMAIN aaa-server AD

user-identity default-domain DOMAIN

user-identity action domain-controller-down DOMAIN disable-user-identity-rule

user-identity inactive-user-timer minutes 100

user-identity logout-probe netbios local-system probe-time minutes 60

retry-interval seconds 10 retry-count 10 user-not-needed

user-identity poll-import-user-group-timer hours 12

user-identity ad-agent active-user-database full-download

user-identity ad-agent hello-timer seconds 30 retry-times 15

user-identity ad-agent aaa-server ADA

The essence of the problem is that after login user of the Internet falls off after a certain time. That is, the user logged on the computer, and then open the browser, opened a couple of sites, closed the browser, and then passed on 15 and 20 minutes of idle time, or immediately after the close of active Internet sessions, and then Internet becomes unavailable. Internet appears when the user re-re-login to the computer.
Need to do so accurately determined when the user is alive, and even if he does not use the Internet, just log in and does not conduct active network sessions, and then when he wanted to get online, or start any other Internet or network session , it would be accessible to the Internet without re authorization.

If completely disable logout-probe netbios and inactive-user-timer, then generally becomes unavailable online. Also, if you put the parameter Match-Any Internet connection is interrupted, too, so put option user-not-needed.
What do I need to do to correct Identity Firewall work? And not bouncers users?