Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA CX active authentication

configure identity policies to require active authentication,but no login form display, why? 

 

1Define realm  which contain one AD 

2Define identity policy  

3Define identity policy object 

4Define access policy,specify Identity policy objects as part of the source field 

5Enable Auth proxy in ASA service policy 

 

thanks

6 REPLIES
Hall of Fame Super Silver

Does your AD server status in

Does your AD server status in CDA show up as good (green check box)?

Does your AD Agent connection in PRSM test successful (Device > AD Agent > Test)?

Back at CDA, does PRSM show up as a registered device?

Is CDA mapping users to IP addresses when they authenticate to AD?

If all that is working, please share your configured service-policy and related objects on the ASA as well as your access policy from PRSM.

New Member

Marvin,thanksi use Active

Marvin,thanks

i use Active Authentication,no agent is required.

 

New Member

Hi,The config seems ok. What

Hi,

The config seems ok. What is the exact behaviour? Does the requested web page load without any authentication or do you receive an error?

New Member

thanks raduno AD login

thanks radu

no AD login windwos show

the requested web page does not load

the url bar just show:http://192.168.10.1:1025/?redirect_id=63a01419d3d6e2799da3d8279428bba2fa176c47

New Member

Hi,Can you try the following

Hi,

Can you try the following command on the ASA following an authentication attempt? Also, can you issue a "show run policy-map", "show run service-policy" and "show nameif" command?

/pri/act# show asp table classify domain cxsc-auth-proxy hits 

Input Table
in  id=0x7fff2b967190, priority=121, domain=cxsc-auth-proxy, deny=false
        hits=55144, user_data=0x7fff2b966e80, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.237.4.1, mask=255.255.255.255, port=885, tag=0, dscp=0x0
        input_ifc=lanwsp, output_ifc=identity
in  id=0x7fff2b96e760, priority=121, domain=cxsc-auth-proxy, deny=false
        hits=33077, user_data=0x7fff2b96e450, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.237.8.1, mask=255.255.255.255, port=885, tag=0, dscp=0x0

New Member

Firewall(config)# show run

Firewall(config)# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
policy-map cx-policy
 class class-default
  inspect icmp 
  user-statistics accounting
  cxsc fail-open auth-proxy
!             
 
Firewall(config)# show run service-policy
service-policy cx-policy global
 
Firewall(config)# show nameif
Interface                Name                     Security
GigabitEthernet0/0       Outside                    0
GigabitEthernet0/1       Inside                   100
GigabitEthernet0/2       DMZ                       50
Management0/0            management               100
 
Firewall(config)# show asp table classify domain cxsc-auth-proxy hits
 
Input Table
in  id=0x7fffa02644b0, priority=121, domain=cxsc-auth-proxy, deny=false
hits=70, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=external ip address             , mask=255.255.255.255, port=1025, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=identity
in  id=0x7fffa38e9bb0, priority=121, domain=cxsc-auth-proxy, deny=false
hits=285473, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.10.1, mask=255.255.255.255, port=1025, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=identity
in  id=0x7fff9fdc0eb0, priority=121, domain=cxsc-auth-proxy, deny=false
hits=24, user_data=0x7fff9f422630, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.100.1, mask=255.255.255.255, port=1025, tag=0, dscp=0x0
input_ifc=DMZ, output_ifc=identity
 
Output Table:
 
L2 - Output Table:
 
L2 - Input Table:
 
Last clearing of hits counters: Never
252
Views
0
Helpful
6
Replies