10-29-2008 01:52 PM
Hi All,
Iam testing a RA vpn with ASA with authenticates the user with RSA server.
ASA:
***************************************
ip local pool remotevpn 192.168.120.10-192.168.120.240 mask 255.255.255.0
!
crypto ipsec transform-set RAUSER esp-aes esp-md5-hmac
!
crypto dynamic-map RADIAL 15 set transform-set RAUSER
!
crypto map RSNMAP 25 ipsec-isakmp dynamic RADIAL
!
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
!
group-policy RAPOLICY internal
group-policy RAPOLICY attributes
vpn-idle-timeout 1440
vpn-session-timeout 1440
dns-server value 192.168.100.160 10.100.50.14
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain value test.com
user-authentication-idle-timeout 1440
!
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool remotevpn
authentication-server-group (outside) sdi
default-group-policy RAPOLICY
tunnel-group TEST ipsec-attributes
pre-shared-key 123456
!
aaa-server sdi protocol sdi
aaa-server sdi host 192.168.29.144
aaa-server sdi host 192.168.100.177
aaa-server sdi host 192.168.109.20
aaa-server sdi host 10.100.50.22
*********************************
Even though I added the ASA to authetication manager on RSA server, it is not letting me logging in. Is there any key need to be added on ASA for sdi..?
Error message when ran test from the ASA:
"Authentication Servernot responding: No error"
Thank you in advance
MS
11-03-2008 09:22 AM
Update:
There was something our server team missing on RSA server configs, it is all set now. But I just wanted to ask another question...
If I move the sdi server 10.100.50.22 to top and move the primary server (192.168.29.144) to the end..ex:
aaa-server sdi protocol sdi aaa-server sdi host 10.100.50.22
aaa-server sdi host 192.168.100.177
aaa-server sdi host 192.168.109.20
aaa-server sdi host 192.168.29.144
The users will not get authenticated until ASA hits 192.168.29.144. Is this the normal behaviour..? Will ths behaviour can be changed without promoting another backup server is Primary..?
Thank you in advance
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide