03-13-2009 08:21 AM
Hi All,
From the RSA documentation I read..
"The Replicas function as the authentication Servers with read-only access to the database".
When I configure ASA which accepts RA connections to authenticate users via RSA, Only primary (which is at remote site from ASA) authentication is successful. Even when I add the local replical server (or any other replica servers) as first server the states changes to 'Suspended' after trying to establish a RA connection.
aaa-server list in ASA:
aaa-server SDI host 10.1.2.10 -> Local replica Server
aaa-server SDI host 192.168.10.77-> one of remote replica server
aaa-server SDI host 192.168.29.50--> Primary
Thank you in advance
MS
03-19-2009 01:48 PM
You may try configuring the exportable RSA keys. As of Cisco IOS Release 12.2(15)T, users can share the private RSA key pair of a router with standby routers, therefore transferring the security credentials between networking devices. The key pair that is shared between two routers will allow one router to immediately and transparently take over the functionality of the other router. If the main router were to fail, the standby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll with the CA, or manually redistribute keys.
Exporting and importing an RSA key pair also enables users to place the same RSA key pair on multiple routers so that all management stations using Secure Shell (SSH) can be configured with a single public RSA key.
03-21-2009 09:06 AM
MS
The response from Theo is about IOS routers and RSA keys. But your question is about ASA and the RSA SDI server.
I have configured ASA to authenticate Remote Access VPN users via the RSA SDI server. In my experience we configured the ASA with just the address of the primary RSA SDI server. Then the ASA communicates with the primary RSA SDI server and from it learns the addresses of the RSA SDI replica servers. And then the ASA rotates through the available replica servers for authentication.
So I suggest that you configure your ASA with just the address of the primary server. How are you determining that the ASA is successful only with the primary server?
HTH
Rick
03-26-2009 10:41 AM
Hi Rick,
Thank you for your reply.
"How are you determining that the ASA is successful only with the primary server"
--> I could not make it to work with replica, so I added the primay then its working/authenticated with primary and also created the .sdi file in flash.
"In my experience we configured the ASA with just the address of the primary RSA SDI server"
What if the ASA lost the connectivity with Primary RSA..? How does it go to secondary one..?
Thank you in advance for your time
MS
03-29-2009 03:54 PM
MS
Here is my experience and I suspect that you would also find it to be the case for you:
- we configure only the primary RSA server.
- we communicate with it and successfully authenticate - and the creation of the .sdi file in flash does show that we are in sync with the RSA server.
- we have learned the addresses of the replicas from the primary. Our config still has no mention of the replicas, but I can see in the logs that we are establishing sessions and tearing down sessions with the other replica servers. And only from this can I tell that we are using the replicas in addition to the primary. And I believe that this would allow us to continue to function if we lost connectivity to the primary RSA server.
HTH
Rick
04-30-2009 11:22 AM
Hi Rich,
You are correct. It works with primary servicer entry in the list. The ASA downloaded the agent host list when it created .sdi file.
Only issue I observed is: from ASA - Show aaa-server SDI showing the server sitting in the local LAN as SUSPENDED.
Rest (which are reachable via VPN runnels including primary as active).
Any suggestions..?
TIA
MS
04-30-2009 12:30 PM
MS
I am glad that you have got it working and that my suggestion was helpful.
In my experience the ASA marks an authentication server as SUSPENDED if it has attempted to authenticate with that server and the attempt failed. If you check the logs on the ASA is there any indication that it has had a problem with that server?
Also in the server list, for the server on the local LAN which is marked as SUSPENDED what are the values for retries and for timeouts?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: