cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2405
Views
4
Helpful
6
Replies

Can ASA authenticates with nearest/local replica RSA (SDI) Server ?

mvsheik123
Level 7
Level 7

Hi All,

From the RSA documentation I read..

"The Replicas function as the authentication Servers with read-only access to the database".

When I configure ASA which accepts RA connections to authenticate users via RSA, Only primary (which is at remote site from ASA) authentication is successful. Even when I add the local replical server (or any other replica servers) as first server the states changes to 'Suspended' after trying to establish a RA connection.

aaa-server list in ASA:

aaa-server SDI host 10.1.2.10 -> Local replica Server

aaa-server SDI host 192.168.10.77-> one of remote replica server

aaa-server SDI host 192.168.29.50--> Primary

Thank you in advance

MS

6 Replies 6

tstanik
Level 5
Level 5

You may try configuring the exportable RSA keys. As of Cisco IOS Release 12.2(15)T, users can share the private RSA key pair of a router with standby routers, therefore transferring the security credentials between networking devices. The key pair that is shared between two routers will allow one router to immediately and transparently take over the functionality of the other router. If the main router were to fail, the standby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll with the CA, or manually redistribute keys.

Exporting and importing an RSA key pair also enables users to place the same RSA key pair on multiple routers so that all management stations using Secure Shell (SSH) can be configured with a single public RSA key.

MS

The response from Theo is about IOS routers and RSA keys. But your question is about ASA and the RSA SDI server.

I have configured ASA to authenticate Remote Access VPN users via the RSA SDI server. In my experience we configured the ASA with just the address of the primary RSA SDI server. Then the ASA communicates with the primary RSA SDI server and from it learns the addresses of the RSA SDI replica servers. And then the ASA rotates through the available replica servers for authentication.

So I suggest that you configure your ASA with just the address of the primary server. How are you determining that the ASA is successful only with the primary server?

HTH

Rick

HTH

Rick

Hi Rick,

Thank you for your reply.

"How are you determining that the ASA is successful only with the primary server"

--> I could not make it to work with replica, so I added the primay then its working/authenticated with primary and also created the .sdi file in flash.

"In my experience we configured the ASA with just the address of the primary RSA SDI server"

What if the ASA lost the connectivity with Primary RSA..? How does it go to secondary one..?

Thank you in advance for your time

MS

MS

Here is my experience and I suspect that you would also find it to be the case for you:

- we configure only the primary RSA server.

- we communicate with it and successfully authenticate - and the creation of the .sdi file in flash does show that we are in sync with the RSA server.

- we have learned the addresses of the replicas from the primary. Our config still has no mention of the replicas, but I can see in the logs that we are establishing sessions and tearing down sessions with the other replica servers. And only from this can I tell that we are using the replicas in addition to the primary. And I believe that this would allow us to continue to function if we lost connectivity to the primary RSA server.

HTH

Rick

HTH

Rick

Hi Rich,

You are correct. It works with primary servicer entry in the list. The ASA downloaded the agent host list when it created .sdi file.

Only issue I observed is: from ASA - Show aaa-server SDI showing the server sitting in the local LAN as SUSPENDED.

Rest (which are reachable via VPN runnels including primary as active).

Any suggestions..?

TIA

MS

MS

I am glad that you have got it working and that my suggestion was helpful.

In my experience the ASA marks an authentication server as SUSPENDED if it has attempted to authenticate with that server and the attempt failed. If you check the logs on the ASA is there any indication that it has had a problem with that server?

Also in the server list, for the server on the local LAN which is marked as SUSPENDED what are the values for retries and for timeouts?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: