07-04-2011 05:59 AM - edited 03-11-2019 01:54 PM
hi all!
im trying to configure the user identity feature on my asa and there isnt real debugging document,so hopefully u can help me.
ive configured my ad agent on a server the installion went well and im able to see users from the AD srv.
ive configured the ASA with the ip address of the AD SRV and im able to reach the srv via LDAP,the problem is in the configuration of the connection to the
ad client via radius (my asa is 10.2.16.110 and the ad client is configured on 10.2.16.169),i do have ip connectivty between the two and i can see in the wireshark that ive opened in the server that i do recieve RADIUS sesions from my ASA but according to the ASA debug the server respone is timed out....
im attaching the debug of the asa and some relevant commands from the AD client hopefully someone can tip me..
the asa debug
---------------------
arsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 44 (0x2C)
Radius: Length = 87 (0x0057)
Radius: Vector: A0591EFFCC152A1BB891F6F764CD8293
Radius: Type = 1 (0x01) User-Name
Radius: Length = 3 (0x03)
Radius: Value (String) =
20 |
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 40 (0x28)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 34 (0x22)
Radius: Value (String) =
65 6e 74 69 74 79 2d 61 74 74 72 3a 63 6e 74 6c | entity-attr:cntl
3a 6b 65 65 70 2d 61 6c 69 76 65 3d 74 72 75 65 | :keep-alive=true
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.2.16.110 (0x0A02106E)
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
1b c0 0b 2e 52 7a 56 eb c5 b8 80 93 b9 e5 5b 71 | ....RzV.......[q
send pkt 10.2.16.169/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xce7bce7c session 0x3b id 44
free_rip 0xce7bce7c
radius: send queue empty
the ad client config:
---------------------------------
c:\IBF\CLI>adacfg client list
Name IP/Range
-------- --------------
asa-lab2 10.2.16.110/32
c:\IBF\CLI>adacfg client status
Subscribed-IP Sync-Status
------------- -----------
the asa config
-------------------------
aaa-server AD-agent-16.169 (inside) host 10.2.16.169
retry-interval 4
key *****
radius-common-pw *****
no mschapv2-capable
fredy