Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
0
Helpful
1
Replies

ASA with 8.0.4 -->SDI authentication server rechability

mvsheik123
Level 7
Level 7

‎10-29-2008 01:52 PM

Hi All,

Iam testing a RA vpn with ASA with authenticates the user with RSA server.

ASA:

***************************************

ip local pool remotevpn 192.168.120.10-192.168.120.240 mask 255.255.255.0

!

crypto ipsec transform-set RAUSER esp-aes esp-md5-hmac

!

crypto dynamic-map RADIAL 15 set transform-set RAUSER

!

crypto map RSNMAP 25 ipsec-isakmp dynamic RADIAL

!

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0

!

group-policy RAPOLICY internal

group-policy RAPOLICY attributes

vpn-idle-timeout 1440

vpn-session-timeout 1440

dns-server value 192.168.100.160 10.100.50.14

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

default-domain value test.com

user-authentication-idle-timeout 1440

!

tunnel-group TEST type ipsec-ra

tunnel-group TEST general-attributes

address-pool remotevpn

authentication-server-group (outside) sdi

default-group-policy RAPOLICY

tunnel-group TEST ipsec-attributes

pre-shared-key 123456

!

aaa-server sdi protocol sdi

aaa-server sdi host 192.168.29.144

aaa-server sdi host 192.168.100.177

aaa-server sdi host 192.168.109.20

aaa-server sdi host 10.100.50.22

*********************************

Even though I added the ASA to authetication manager on RSA server, it is not letting me logging in. Is there any key need to be added on ASA for sdi..?

Error message when ran test from the ASA:

"Authentication Servernot responding: No error"

Thank you in advance

MS

Labels:
0 Helpful
1 Reply 1

mvsheik123
Level 7
Level 7

‎11-03-2008 09:22 AM

Update:

There was something our server team missing on RSA server configs, it is all set now. But I just wanted to ask another question...

If I move the sdi server 10.100.50.22 to top and move the primary server (192.168.29.144) to the end..ex:

aaa-server sdi protocol sdi aaa-server sdi host 10.100.50.22

aaa-server sdi host 192.168.100.177

aaa-server sdi host 192.168.109.20

aaa-server sdi host 192.168.29.144

The users will not get authenticated until ASA hits 192.168.29.144. Is this the normal behaviour..? Will ths behaviour can be changed without promoting another backup server is Primary..?

Thank you in advance

MS

0 Helpful
Customers Also Viewed These Support Documents