Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
3
Replies

ACS Issues

jlefko
Level 1
Level 1

‎08-21-2006 05:37 AM - edited ‎03-10-2019 02:43 PM

Okay here is a weird one:

We use ASA'es for both IPSec and SSL VPN. The device use Radius against ACS for user authentication. The user database pulls from Active Directory. We also use the same ACS for TACACS for routers (also pulling passwords from AD).

If a user account is disabled in AD, the TACACS and SSL are immediately locked out, but the IPSec works for about 2 hours. If you change the password, both TACACS and SSL are changed but IPSec uses both the old and new passwords for another 2 hours.

Very strange, any ideas.

Labels:
0 Helpful
3 Replies 3

darpotter
Level 5
Level 5

‎08-21-2006 12:54 PM

What authentication protocol is the ASA using for IPSec? Is it EAP based?

For example EAP-FAST & EAP-TLS offer "fast session resume" where a quick authentication can be performed using retained SSL state. This might not pick up disabled users/changed passwords etc until the SSL session state expires and a full re-authentication takes place.

If the protocol for ipsec is the same as SSL then it must be the ASA doing something strange.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to darpotter

‎08-21-2006 02:08 PM

I wonder if a slightly different explanation may be possible. IPSec negotiates its Security Association (SA) and authenticates it. The SA has a lifetime (which can be determined by time or determined by amount of data transmitted). While the SA is within its lifetime the end points have little need to re-authenticate. What is the probability that the IPSec SA lifetime is the two hours that are described in the original post?

HTH

Rick

HTH

Rick
0 Helpful

jmbrady
Level 1
Level 1

‎08-21-2006 06:48 PM

I have the same situation but have 1 user account that I want to authenticate via TACACS+ for logging into my network devices and RADIUS via ASA 7.x for logging into the VPN from home.

I am using AD group mappings and although a user can be a member of both groups in AD, he only seems to work via TACACS+ (placed in the secure group "Admins"). The secure Group "VPN" contains the VPN users and until I remove the user from the domain admins group (leaving them in just the VPNusers group), they cannot VPN in (as it tries to autheitncate using the admins group instead of the VPN users group.

any ideas?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents