Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA-active directory agent problem

fredy.maizelev
Level 1
Level 1

‎07-04-2011 05:59 AM - edited ‎03-11-2019 01:54 PM

hi all!

im trying to configure the  user identity feature on my asa and there isnt real debugging document,so hopefully u can help me.

ive configured my ad agent on a server the installion went well and im able to see users from the AD srv.

ive configured the ASA with the ip address of the AD SRV and im able to reach the srv via LDAP,the problem is in the configuration of the connection to the   

ad client via radius (my asa is 10.2.16.110 and the ad client is configured on 10.2.16.169),i do have ip connectivty between the two and i can see in the wireshark that ive opened in the server that i do recieve RADIUS sesions from my ASA but according to the ASA debug the server respone is timed out....

im attaching the debug of the asa and some relevant commands from the AD client hopefully someone can tip me..

the asa debug

---------------------

arsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 44 (0x2C)

Radius: Length = 87 (0x0057)

Radius: Vector: A0591EFFCC152A1BB891F6F764CD8293

Radius: Type = 1 (0x01) User-Name

Radius: Length = 3 (0x03)

Radius: Value (String) =

20                                                 |  

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c    |  entity-attr:cntl

3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65    |  :keep-alive=true

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.2.16.110 (0x0A02106E)

Radius: Type = 80 (0x50) Message-Authenticator

Radius: Length = 18 (0x12)

Radius: Value (String) =

1b c0 0b 2e 52 7a 56 eb c5 b8 80 93 b9 e5 5b 71    |  ....RzV.......[q

send pkt 10.2.16.169/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xce7bce7c session 0x3b id 44

free_rip 0xce7bce7c

radius: send queue empty

the ad client config:

---------------------------------

c:\IBF\CLI>adacfg client list

Name     IP/Range

-------- --------------

asa-lab2 10.2.16.110/32

c:\IBF\CLI>adacfg client status

Subscribed-IP Sync-Status

------------- -----------

the asa config

-------------------------

aaa-server AD-agent-16.169 (inside) host 10.2.16.169

retry-interval 4

key *****

radius-common-pw *****

no mschapv2-capable

fredy

2 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic