Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
5
Helpful
5
Replies

configuring RSA SID for VPN client with ASA5520

Tshi M
Level 5
Level 5

‎10-21-2008 07:41 AM

I have configured my ASA5520 to have VPN clients authenticate to an RSA server. The authentication is not working, the error message is: "Remote peer has failed user authentication..." Below is the relevant configuration:

aaa-server US protocol sdi

aaa-server US host 10.10.10.10

retry-interval 2

timeout 4

group-policy US-RA-VPN-POLICY internal

group-policy US-RA-VPN-POLICY attributes

dns-server value 10.10.10.101

vpn-tunnel-protocol IPSec

address-pools value RA-VPN-POOL

tunnel-group US-TUNNEL_GROUP type remote-access

tunnel-group US-TUNNEL_GROUP general-attributes

address-pool RA-VPN-POOL

authentication-server-group US

default-group-policy US-RA-VPN-POLICY

tunnel-group US-TUNNEL_GROUP ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

‎10-21-2008 06:52 PM

Hello Etienne,

From what I can see, your configuration looks good. When the user is not getting authenticated, what do you see on the SecurID Server. Do you see the request coming from the ASA and SecurID responding to it or you dont see the request at all.

Also, what is the version on the server? Please refer the below URL for some information on SDI Server Version and ASA.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html#wp1053066

Regards,

Arul

** Please rate if it helps **

0 Helpful

Tshi M
Level 5
Level 5
In response to ajagadee

‎10-22-2008 04:38 AM

It appears that the ASA might not be passing the request at all. There is a firewall between the ASA and the server. But the ACL that allows UDP port 5500 is not being hit.

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎10-22-2008 06:00 AM

I enabled debug sdi and below is its output. Could someone assist with this?

In sdi_ioctl

sdi mkreq: 0x58

sip_lookup: sip with id 88 not found

alloc_sip 0xc8849684

new request 0x58 --> 0 (0xc8849684)

New SIP state: SDI_NEW (loc 1344)

add_req 0xc8849684 session 0x58 id 13

init_ace_server: handle 4157417602, server_id 129, server_addr 10.10.10.10, sess_id 88

New SIP state: SDI_WAIT_INIT_RESP (loc 985)

In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 1

New SIP state: SDI_WAIT_LOCK_RESP (loc 998)

In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 2

New SIP state: SDI_ERROR (loc 1026)

New SIP state: SDI_DELETE (loc 1131)

remove_req 0xc8849684 session 0x58 id 13

free_sip 0xc8849684

sdi: send queue empty

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎10-23-2008 08:55 AM

The problem turned out was the fact that the ASA was not added to the RSA authentication manager.

Thanks,

ajagadee
Cisco Employee
Cisco Employee
In response to Tshi M

‎10-23-2008 09:06 AM

Etienne,

Thanks for the update. I am sure this will help someone who is running into a similar issue.

Regards,

Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents