Cisco Firewall :: ASA 5510 Server IAS First Authentication Failed
Jun 5, 2011
I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.
I have configured a double authentication for my client to access SSL portal:
First authentication: AD serverSecondary authentication: IAS for my token SAFENET ALADDIN The server IAS is declared on a W2K3 and it's standard.
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.
Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
i have an ASA 5510, i configured a ssl portal acces for my company. it used to work. now, it's still half working : 1/ i can connect to the web ssl portal page with the AAA acces (login and psw) 2/ but after, it's no more possible to access at corporate web pages, like intranet, always the same message : "connexion failed - serveur xxx not available". See the attachement.
i watched logs, my packets are dropped but i don't know why.
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
having a bit of trouble setting up our 5510. None of us have ever played with a firewall before. We've got most of the basics covered. I was able to get to the outside world to do a software update to the box, but my laptop that sits in the inside can't see the outside. We only have the default access rules in place at the moment. Our old ISA firewall rules don't really translate all that well to this new box.
I have ASA 5510 with 8.3 version and using multi context. I created a new context ABC and tryed to add routes in the context for the ABC networks it would not work. There was an error in the log stating, “failed to locate egress interface”. I changed the metric on the static routes from 1 to 2 and it started working. Is it normal in a multi context?
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail | (25) | (3000) 194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
I have one server-A(windows 2008) installed one application called"host front" which gives athentication to connect Linux(mainframe console) server (SERVER B).These 2 servers are bihind the firewall.If one internal user who has the athentication to logine server-B ,tried to login server A,will get the" username and password"screen and once they enter the username and password ,will get the server-B screen.But if somebody try to connet via MPLS(we need to test MPLS site customers) from outside via ASA 5540 ,to server-A will get the "username password" screen and once enter the credentials, after 1 minitue will get error"http server faild to send datas to the server" and will not move to server -B screen.
I got a report from a branch office which is getting trouble to authenticate users to the WLAN this is a stand alone AP which has a configuration script that we use for all our branch offices but in this case is not working. It seems to be an issue with RADIUS but if it was the case the whole company would be experiencing problems since it is a central RADIUS server.
Here is a log from the AP By the way I modified the radius server timeout to 90 sec
APIMMEXP01# Sep 1 17:01:47.240: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication failed Sep 1 17:01:53.503: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication failed Sep 1 17:01:58.739: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication failed
I have a guest network and lately I have been experiencing troubles with some users.The symptom, as I create a username and password and type'em in a laptop the authentication fields in the web authentication page don't keep the data as if I didn't type anything
I'm trying to connect to ISP with PPPoE method using Cisco 861 equip. On the other side Cisco 3845 BRAS.Session fails at authentication phase. Authentication protocol chosen by routers is ms-chap-v2. Chap supported also. [code]
I have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
I've just purchased a second hand laptop for my Hubby and trying to gain access to the internet through my SKY wifi router. It keeps saying its within range but this error of Wireless authentication failed because of timeout!
picking up on old thread, but same issue: authentification failed because of a timeout
*previously*! i was able to auto connect fine on this home network via wifi.the line and box recently changed, same provider, and now i'm the only one who can't connect.the SSID changed, but i've done all the usual routines, deleting and re-adding manually, etc. but nothing so far...
i *don't* think this is a case of changing gear, but i don't know enough about internet/connection/configuration to fix this. yet!
NB: when i perform the reset on the box as instructed, using the provider's setup software - i am not the account holder - for the wifi, it shows connected very briefly in the animation, and then goes off again; this is the authentification/verification failing, i conclude.
so: with what is said above, i'm wondering if my antivir is to blame, or the windows firewall settings.or malwarebytes.i'm going to study the info i've got off my system, and looking at the router via the http routine, offline, as i now have to get off the internet(...); i'll get the infos together so i can post something useful.
I realize there are a few other threads on this subject. Ive followed some of the advice and I still can not connect. I am currently connected via Ethernet cable but I cannot connect to wireless. I have removed all the stored networks. My event log states: [code]....
When I try to log-in to my D-Link DIR-835 Router using IE9, I get an 'Authentication Failed' error. FireFox & Chrome work just fine. what I need to change or fix in IE9 so it will also log-in to my router?
Is this possible and if so what commands do i need to configure on my ASA 5510 for it to work.I have two web server within my DMZ and i want to access the outside url of on on the web server from the other. Currently i can access the internet from both webserver server but not the url form either webservers.
E.g. config
webserver 1 https://xxxxxx.xxxxxxx.com ---> public ip---> dmz ip webserver 2 https://xxxxxx.xxxxxxx.com ---> public ip---> dmz ip
I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:
Nat Section: ================================================================================== Dynamic: nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
We have ASA 5520 as SSL VPN concentrator so users can access internal web from outside. Our internal web also has several internet URL. What we want is when user click internet URL in our internal web, ASA forward those request to internal proxy server. I already config proxy using port 8080 and username "companyuser" and password, but always have authentication failed on ssl vpn browser. We uses forefront TMG as proxy. Username and password have right to access Internet.
we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config: interface GigabitEthernet1/0/2 sw access vlan 2 sw mode access authentication control-direction in authenticaion host-mode multi-auth authentication port-control auto mab spanning-tree portfast
I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
I have have a XPS L502X. I decided to make a clean installation based on Windows 7 Ultimate.My problem is when I instal the driver for the "Dell Wireless HSPA 5540" it fails with then warning:
"Authentication failed. The .... driver cannot be installed on this computer...."
I added a new server and created a new static NAT assignment on the ASA 5510 to the server's IP. When I browse to the web to check what public IP it's reporting, it shows the wrong IP. I disabled the network interface on the server, ran "clear xslate", reenabled the network interface, ran "sho xlate" and while the correct translation was in the table, the server still reported the wrong IP address.I even ran a packet trace and it showed the IP address being correctly translated to the proper public IP, but when I browse to the web I get the same erroneous public IP. [code]
