06-08-2010 10:42 PM - edited 03-10-2019 05:10 PM
Any help on this subject would be great
I can manage to get my account logging into the cisco switch throught the Active Directory setup in external Idenity stores but not my LDAP setup here are some logs from the successful log in and unsuccessful log in with ldap.
AD-SETUP
Selected Identity Store - AD1 |
Current Identity Store does not support the authentication method; Skipping it. |
TACACS+ will use the password prompt from global TACACS+ configuration. |
Returned TACACS+ Authentication Reply |
Received TACACS+ Authentication CONTINUE Request |
Using previously selected Access Service |
Identity Policy was evaluated before; Identity Sequence continuing |
Authenticating user against Active Directory |
User's Groups retrieval from Active Directory succeeded |
User authentication against Active Directory succeeded |
Authentication Passed |
Access Policy | |
Access Service: | Default Device Admin |
Identity Store: | AD1 |
Selected Shell Profile: | Privilege Mode |
Active Directory Domain: | Blah.com |
Identity Group: | |
Access Service Selection Matched Rule : | Rule-2 |
Identity Policy Matched Rule: | Default |
Selected Identity Stores: | AD1 |
Query Identity Stores: | |
Selected Query Identity Stores: | |
Group Mapping Policy Matched Rule: | |
Authorization Policy Matched Rule: | Rule-1 |
The only issue with this setup is that i can only add the domain example blah.com and i get massive latency occuring since the authentication process goes over state to other domain controllers instead of the local ones.
I can tell from the AAA STATUS in monitoring DASHBOARD cause the Latency is around 8000ms, and the slow log in on the switch.
LDAP-SETUP
In my LDAP setup i point a primary and secondary hostname closer to home to avoid latency i do a bind test which returns successful on both hosts. Setup my directory Orgainzation Tab and do a test configuration get a return of Group > 100 Subject >100.
I reset my indenities stores to LDAP instead of AD and try again, but for some reason i get error 22056 subject not found! i just can't work this out here are the details
Matched rule |
Selected Access Service - Default Device Admin |
Evaluating Identity Policy |
Matched Default Rule |
Selected Identity Store - |
Current Identity Store does not support the authentication method; Skipping it. |
TACACS+ will use the password prompt from global TACACS+ configuration. |
Returned TACACS+ Authentication Reply |
Received TACACS+ Authentication CONTINUE Request |
Using previously selected Access Service |
Identity Policy was evaluated before; Identity Sequence continuing |
Sending request to primary LDAP server |
Authenticating user against LDAP Server |
User search ended with an error |
Primary server failover. Switching to secondary server |
Sending request to secondary LDAP server |
Authenticating user against LDAP Server |
User not found in LDAP Server |
Subject not found in the applicable identity store(s). |
The advanced option that is configured for an unknown user is used. |
The 'Reject' advanced option is configured in case of a failed authentication request. |
Returned TACACS+ Authentication Reply |
Is there any ideas what i can try so it can find my account like the AD structure did? ideas please?
cheers
Solved! Go to Solution.
06-14-2010 03:34 PM
HI Ed,
Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure. Verify base DN used for searches matches
structure.
Regards,
~JG
Do rate helpful posts
06-14-2010 03:34 PM
HI Ed,
Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure. Verify base DN used for searches matches
structure.
Regards,
~JG
Do rate helpful posts
06-15-2010 07:27 PM
Hi JG,
Thanks for replying to my post, I am currently using Softerra LDAP adminsitrator software to verify the base DN structure. I now run the test configuration button and i get a return of 1 Group and 1 subject which is correct for the settings i have choosen.
So LDAP is now seeing my group and seeing my AD user but i still have the same problem when trying to log into my network device. The user is not found?
can you help with anything else i might need to check JG this is driving me and everyone else in the office up the wall let me know if you would like some screenshots.
Regards
Ed
07-21-2010 11:44 PM
Problem fixed, very annoying LDAP setup. had to change CN to sAMAccountName to get this working, cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide