10-21-2008 07:41 AM
I have configured my ASA5520 to have VPN clients authenticate to an RSA server. The authentication is not working, the error message is: "Remote peer has failed user authentication..." Below is the relevant configuration:
aaa-server US protocol sdi
aaa-server US host 10.10.10.10
retry-interval 2
timeout 4
group-policy US-RA-VPN-POLICY internal
group-policy US-RA-VPN-POLICY attributes
dns-server value 10.10.10.101
vpn-tunnel-protocol IPSec
address-pools value RA-VPN-POOL
tunnel-group US-TUNNEL_GROUP type remote-access
tunnel-group US-TUNNEL_GROUP general-attributes
address-pool RA-VPN-POOL
authentication-server-group US
default-group-policy US-RA-VPN-POLICY
tunnel-group US-TUNNEL_GROUP ipsec-attributes
pre-shared-key *
10-21-2008 06:52 PM
Hello Etienne,
From what I can see, your configuration looks good. When the user is not getting authenticated, what do you see on the SecurID Server. Do you see the request coming from the ASA and SecurID responding to it or you dont see the request at all.
Also, what is the version on the server? Please refer the below URL for some information on SDI Server Version and ASA.
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html#wp1053066
Regards,
Arul
** Please rate if it helps **
10-22-2008 04:38 AM
It appears that the ASA might not be passing the request at all. There is a firewall between the ASA and the server. But the ACL that allows UDP port 5500 is not being hit.
10-22-2008 06:00 AM
I enabled debug sdi and below is its output. Could someone assist with this?
In sdi_ioctl
sdi mkreq: 0x58
sip_lookup: sip with id 88 not found
alloc_sip 0xc8849684
new request 0x58 --> 0 (0xc8849684)
New SIP state: SDI_NEW (loc 1344)
add_req 0xc8849684 session 0x58 id 13
init_ace_server: handle 4157417602, server_id 129, server_addr 10.10.10.10, sess_id 88
New SIP state: SDI_WAIT_INIT_RESP (loc 985)
In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 1
New SIP state: SDI_WAIT_LOCK_RESP (loc 998)
In sdi_callback: handle 4157417602, error code 1, sdi_status 0, sess_id 88, state: 2
New SIP state: SDI_ERROR (loc 1026)
New SIP state: SDI_DELETE (loc 1131)
remove_req 0xc8849684 session 0x58 id 13
free_sip 0xc8849684
sdi: send queue empty
10-23-2008 08:55 AM
The problem turned out was the fact that the ASA was not added to the RSA authentication manager.
Thanks,
10-23-2008 09:06 AM
Etienne,
Thanks for the update. I am sure this will help someone who is running into a similar issue.
Regards,
Arul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: