configuring RSA SID for VPN client with ASA5520

Unanswered Question
Oct 21st, 2008

I have configured my ASA5520 to have VPN clients authenticate to an RSA server. The authentication is not working, the error message is: "Remote peer has failed user authentication..." Below is the relevant configuration:

aaa-server US protocol sdi

aaa-server US host 10.10.10.10

retry-interval 2

timeout 4

group-policy US-RA-VPN-POLICY internal

group-policy US-RA-VPN-POLICY attributes

dns-server value 10.10.10.101

vpn-tunnel-protocol IPSec

address-pools value RA-VPN-POOL

tunnel-group US-TUNNEL_GROUP type remote-access

tunnel-group US-TUNNEL_GROUP general-attributes

address-pool RA-VPN-POOL

authentication-server-group US

default-group-policy US-RA-VPN-POLICY

tunnel-group US-TUNNEL_GROUP ipsec-attributes

pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Tue, 10/21/2008 - 18:52

Hello Etienne,

From what I can see, your configuration looks good. When the user is not getting authenticated, what do you see on the SecurID Server. Do you see the request coming from the ASA and SecurID responding to it or you dont see the request at all.

Also, what is the version on the server? Please refer the below URL for some information on SDI Server Version and ASA.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html#wp1053066

Regards,

Arul

** Please rate if it helps **

Tshi M Wed, 10/22/2008 - 04:38

It appears that the ASA might not be passing the request at all. There is a firewall between the ASA and the server. But the ACL that allows UDP port 5500 is not being hit.

Tshi M Wed, 10/22/2008 - 06:00

I enabled debug sdi and below is its output. Could someone assist with this?

In sdi_ioctl

sdi mkreq: 0x58

sip_lookup: sip with id 88 not found

alloc_sip 0xc8849684

new request 0x58 --> 0 (0xc8849684)

New SIP state: SDI_NEW (loc 1344)

add_req 0xc8849684 session 0x58 id 13

init_ace_server: handle 4157417602, server_id 129, server_addr 10.10.10.10, sess_id 88

New SIP state: SDI_WAIT_INIT_RESP (loc 985)

In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 1

New SIP state: SDI_WAIT_LOCK_RESP (loc 998)

In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 2

New SIP state: SDI_ERROR (loc 1026)

New SIP state: SDI_DELETE (loc 1131)

remove_req 0xc8849684 session 0x58 id 13

free_sip 0xc8849684

sdi: send queue empty

Tshi M Thu, 10/23/2008 - 08:55

The problem turned out was the fact that the ASA was not added to the RSA authentication manager.

Thanks,

ajagadee Thu, 10/23/2008 - 09:06

Etienne,

Thanks for the update. I am sure this will help someone who is running into a similar issue.

Regards,

Arul

Actions

This Discussion