08-11-2009 09:05 AM - edited 03-10-2019 04:38 PM
Trying to configure VPN on a Cisco 5510 to use LDAP for authorization (used a Cisco document for implementing Kerberos/LDAP AAA with Windows AD).
Kerberos authentication works just fine, but when I test the LDAP AAA group I get -
"Authorization Rejected: memory error"
I haven't been able to find ANY info regarding that error message on the interwebz. I know it's reaching the domain controller just fine, but something isn't quite right. Any ideas?
08-17-2009 04:13 PM
The security appliance supports user authorization on an external LDAP or RADIUS server. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.
There are some known issues with LDAP and 7.1(1)(If you are using). You may try upgrading to the latest 7.1.2 interim release.
08-28-2009 12:33 PM
We're actually on release 8.03
I haven't had time to look at this issue again yet (ahh family vacations =)) but hopefully in the next week I will.
Meanwhile, here's a bit of the config if that helps anyone
---
aaa-server Authent_grp protocol kerberos
aaa-server Authent_grp host X.X.X.152
kerberos-realm DOMAIN.COM
aaa-server Authent_grp host X.X.X.151
kerberos-realm DOMAIN.COM
aaa-server Author_grp protocol ldap
aaa-server Author_grp host X.X.X.152
ldap-base-dn ou=Users
ldap-scope onelevel
ldap-naming-attribute uid
ldap-login-password *
ldap-login-dn cn=admin,cn=Users,dc=domain,dc=com
server-type microsoft
---
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide