Can ASA authenticates with nearest/local replica RSA (SDI) Server ?

Unanswered Question
Mar 13th, 2009
User Badges:
  • Gold, 750 points or more

Hi All,


From the RSA documentation I read..


"The Replicas function as the authentication Servers with read-only access to the database".


When I configure ASA which accepts RA connections to authenticate users via RSA, Only primary (which is at remote site from ASA) authentication is successful. Even when I add the local replical server (or any other replica servers) as first server the states changes to 'Suspended' after trying to establish a RA connection.


aaa-server list in ASA:


aaa-server SDI host 10.1.2.10 -> Local replica Server


aaa-server SDI host 192.168.10.77-> one of remote replica server


aaa-server SDI host 192.168.29.50--> Primary



Thank you in advance

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
tstanik Thu, 03/19/2009 - 13:48
User Badges:
  • Bronze, 100 points or more

You may try configuring the exportable RSA keys. As of Cisco IOS Release 12.2(15)T, users can share the private RSA key pair of a router with standby routers, therefore transferring the security credentials between networking devices. The key pair that is shared between two routers will allow one router to immediately and transparently take over the functionality of the other router. If the main router were to fail, the standby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll with the CA, or manually redistribute keys.


Exporting and importing an RSA key pair also enables users to place the same RSA key pair on multiple routers so that all management stations using Secure Shell (SSH) can be configured with a single public RSA key.


Richard Burts Sat, 03/21/2009 - 09:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

MS


The response from Theo is about IOS routers and RSA keys. But your question is about ASA and the RSA SDI server.


I have configured ASA to authenticate Remote Access VPN users via the RSA SDI server. In my experience we configured the ASA with just the address of the primary RSA SDI server. Then the ASA communicates with the primary RSA SDI server and from it learns the addresses of the RSA SDI replica servers. And then the ASA rotates through the available replica servers for authentication.


So I suggest that you configure your ASA with just the address of the primary server. How are you determining that the ASA is successful only with the primary server?


HTH


Rick

mvsheik123 Thu, 03/26/2009 - 10:41
User Badges:
  • Gold, 750 points or more

Hi Rick,


Thank you for your reply.


"How are you determining that the ASA is successful only with the primary server"


--> I could not make it to work with replica, so I added the primay then its working/authenticated with primary and also created the .sdi file in flash.


"In my experience we configured the ASA with just the address of the primary RSA SDI server"


What if the ASA lost the connectivity with Primary RSA..? How does it go to secondary one..?


Thank you in advance for your time

MS

Richard Burts Sun, 03/29/2009 - 15:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

MS


Here is my experience and I suspect that you would also find it to be the case for you:

- we configure only the primary RSA server.

- we communicate with it and successfully authenticate - and the creation of the .sdi file in flash does show that we are in sync with the RSA server.

- we have learned the addresses of the replicas from the primary. Our config still has no mention of the replicas, but I can see in the logs that we are establishing sessions and tearing down sessions with the other replica servers. And only from this can I tell that we are using the replicas in addition to the primary. And I believe that this would allow us to continue to function if we lost connectivity to the primary RSA server.


HTH


Rick

mvsheik123 Thu, 04/30/2009 - 11:22
User Badges:
  • Gold, 750 points or more

Hi Rich,


You are correct. It works with primary servicer entry in the list. The ASA downloaded the agent host list when it created .sdi file.


Only issue I observed is: from ASA - Show aaa-server SDI showing the server sitting in the local LAN as SUSPENDED.

Rest (which are reachable via VPN runnels including primary as active).


Any suggestions..?


TIA

MS

Richard Burts Thu, 04/30/2009 - 12:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

MS


I am glad that you have got it working and that my suggestion was helpful.


In my experience the ASA marks an authentication server as SUSPENDED if it has attempted to authenticate with that server and the attempt failed. If you check the logs on the ASA is there any indication that it has had a problem with that server?


Also in the server list, for the server on the local LAN which is marked as SUSPENDED what are the values for retries and for timeouts?


HTH


Rick

Actions

This Discussion