Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS Issues

Okay here is a weird one:

We use ASA'es for both IPSec and SSL VPN. The device use Radius against ACS for user authentication. The user database pulls from Active Directory. We also use the same ACS for TACACS for routers (also pulling passwords from AD).

If a user account is disabled in AD, the TACACS and SSL are immediately locked out, but the IPSec works for about 2 hours. If you change the password, both TACACS and SSL are changed but IPSec uses both the old and new passwords for another 2 hours.

Very strange, any ideas.

3 REPLIES
Silver

Re: ACS Issues

What authentication protocol is the ASA using for IPSec? Is it EAP based?

For example EAP-FAST & EAP-TLS offer "fast session resume" where a quick authentication can be performed using retained SSL state. This might not pick up disabled users/changed passwords etc until the SSL session state expires and a full re-authentication takes place.

If the protocol for ipsec is the same as SSL then it must be the ASA doing something strange.

Hall of Fame Super Silver

Re: ACS Issues

I wonder if a slightly different explanation may be possible. IPSec negotiates its Security Association (SA) and authenticates it. The SA has a lifetime (which can be determined by time or determined by amount of data transmitted). While the SA is within its lifetime the end points have little need to re-authenticate. What is the probability that the IPSec SA lifetime is the two hours that are described in the original post?

HTH

Rick

New Member

Re: ACS Issues

I have the same situation but have 1 user account that I want to authenticate via TACACS+ for logging into my network devices and RADIUS via ASA 7.x for logging into the VPN from home.

I am using AD group mappings and although a user can be a member of both groups in AD, he only seems to work via TACACS+ (placed in the secure group "Admins"). The secure Group "VPN" contains the VPN users and until I remove the user from the domain admins group (leaving them in just the VPNusers group), they cannot VPN in (as it tries to autheitncate using the admins group instead of the VPN users group.

any ideas?

131
Views
0
Helpful
3
Replies