topic Re: Cisco Asa and ldap authentification in Network Access Control

Cisco Asa and ldap authentification

fredericmoitie — Mon, 11 Mar 2019 00:52:45 GMT

Hi All

i have a probleme with LDAP authentification.

i have an cisco Asa5510 and windows 2008 R2 server

i create LDAP authentification.

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 10.0.1.30
server-port 389
ldap-base-dn dc=reseaux,dc=local
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local
server-type microsoft

but when i testing, i have an error (user account work directly in server)

test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****

INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

please help

regards

frederic

Re: Cisco Asa and ldap authentification

Yudong Wu — Thu, 03 Mar 2011 19:28:02 GMT

Just want to make sure the following is the valid user accout for ASA to logon to AD. If not, your ASA could not logon to AD.

ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local

You can run "debug ldap 255"

Re: Cisco Asa and ldap authentification

fredericmoitie — Fri, 04 Mar 2011 08:43:44 GMT

for your reply.

see debug log

test aaa-server authentication LDAPGROUP host 10.0.1.30 username "user" password "password"
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)

[1173] Session Start
[1173] New request Session, context 0xd81ffa30, reqType = Authentication
[1173] Fiber started
[1173] Creating LDAP context with uri=ldap://10.0.1.30:389
[1173] Connect to LDAP server: ldap://10.0.1.30:389, status = Successful
[1173] supportedLDAPVersion: value = 3
[1173] supportedLDAPVersion: value = 2
[1173] Binding as "user"
[1173] Performing Simple authentication for "user" to 10.0.1.30
[1173] LDAP Search:
        Base DN = [dc=reseaux,dc=local]
        Filter = [sAMAccountName="user"]
        Scope   = [SUBTREE]
[1173] Request for "user" returned code (10) Referral
[1173] Fiber exit Tx=290 bytes Rx=669 bytes, status=-1
[1173] Session End
ERROR: Authentication Rejected: Unspecified

what is this error ?

Request for "user" returned code (10) Referral

regards

Frederic

Re: Cisco Asa and ldap authentification

Jagdeep Gambhir — Fri, 04 Mar 2011 09:37:00 GMT

Frederic,

We are hitting a bug,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCsj32153

CSCsj32153 Bug Details

Implement LDAP Referrals for advanced searches
Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. Conditions: Workaround:None

Regards,

~JG

Do rate helpful posts

Re: Cisco Asa and ldap authentification

fredericmoitie — Fri, 04 Mar 2011 09:45:53 GMT

OK.

but they have no solution ?

my Firewall is in 8.2(2) version.

and an another firewall with same version, i have no problem with ldap authentification.

strange !

regards

frederic

Re: Cisco Asa and ldap authentification

Jagdeep Gambhir — Fri, 04 Mar 2011 09:47:09 GMT

Hi Frederic,

The enhancement is still open.

Regards,

~JG

Do rate helpful posts

Re: Cisco Asa and ldap authentification

Jagdeep Gambhir — Fri, 04 Mar 2011 09:51:28 GMT

Is that firewall using same LDAP server?

Re: Cisco Asa and ldap authentification

fredericmoitie — Fri, 04 Mar 2011 09:58:41 GMT

no, this is not the same server

frederic

Re: Cisco Asa and ldap authentification

Yudong Wu — Fri, 04 Mar 2011 15:49:10 GMT

Based on your LDAP configuration below,

You have a user account with username "user" under Utilisateurs.reseau.local. You are using this account for ASA to login to AD to authenticate user.

When you ran "test" command, you used username "user" again. But ASA will only search this user account on AD under "reseaux.local".

Do you have a valid account with username "user" under "reseaux.local"?

Due the bug which was mentioned in the previous post, ASA don't support multi-domain search via LDAP refererals. If your authentication on AD does not need across multi-domain, it should work.

Re: Cisco Asa and ldap authentification

fredericmoitie — Fri, 04 Mar 2011 16:41:06 GMT

yes, i have a valid account with name "user".

this same account can open an windows session directly on server AD

regards

frederic

Re: Cisco Asa and ldap authentification

Yudong Wu — Fri, 04 Mar 2011 16:49:17 GMT

Do you have the account with username "user" in both ""reseaux.local" and "Utilisateurs.reseau.local"?

If yes, can you check if they are two different AD domain? The bug has pointed out that ASA don't support multi-domain authentication via LDAP refererals.

You might conside of using an administrator AD account in "reseaus.local" for ASA to login to AD.

Re: Cisco Asa and ldap authentification

fredericmoitie — Fri, 04 Mar 2011 17:27:17 GMT

ok i undestand,

i forget "OU" in ldap-base-dn command

now :

ldap-base-dn OU=Utilisateurs,DC=reseau,DC=local

and it's work.

many thanks Yudong Wu

regards

Frederic

I know this is an old thread

wadehargrove — Wed, 02 Jul 2014 23:56:18 GMT

I know this is an old thread but it came up in my search when trying to solve the LDAP referral problem. You can point to the global catalog port on Active Directory servers:

Without SSL: 3268

With SSL: 3269