We use ASA'es for both IPSec and SSL VPN. The device use Radius against ACS for user authentication. The user database pulls from Active Directory. We also use the same ACS for TACACS for routers (also pulling passwords from AD).
If a user account is disabled in AD, the TACACS and SSL are immediately locked out, but the IPSec works for about 2 hours. If you change the password, both TACACS and SSL are changed but IPSec uses both the old and new passwords for another 2 hours.
What authentication protocol is the ASA using for IPSec? Is it EAP based?
For example EAP-FAST & EAP-TLS offer "fast session resume" where a quick authentication can be performed using retained SSL state. This might not pick up disabled users/changed passwords etc until the SSL session state expires and a full re-authentication takes place.
If the protocol for ipsec is the same as SSL then it must be the ASA doing something strange.
I wonder if a slightly different explanation may be possible. IPSec negotiates its Security Association (SA) and authenticates it. The SA has a lifetime (which can be determined by time or determined by amount of data transmitted). While the SA is within its lifetime the end points have little need to re-authenticate. What is the probability that the IPSec SA lifetime is the two hours that are described in the original post?
I have the same situation but have 1 user account that I want to authenticate via TACACS+ for logging into my network devices and RADIUS via ASA 7.x for logging into the VPN from home.
I am using AD group mappings and although a user can be a member of both groups in AD, he only seems to work via TACACS+ (placed in the secure group "Admins"). The secure Group "VPN" contains the VPN users and until I remove the user from the domain admins group (leaving them in just the VPNusers group), they cannot VPN in (as it tries to autheitncate using the admins group instead of the VPN users group.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...