ACS 5.3 LDAP BindResponse use LDAP Error Codes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 02:02 AM - edited 03-10-2019 08:21 PM
Hello,
I work on a project with Radius ACS and LDAP identity store,
When I try to authenticate a user with account Disabled or Expired, the LDAP server re-send a bindResponse with specific LDAP Error Codes Example:
LDAP 167 bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1)
In this example “data 533” Indicates an ACCOUNT_DISABLED.
Is it possible to use this LDAP Error Codes in ACS configuration to send to a Radius client specific response with radius attribute?
Thank you in advance
Regards,
Romain
- Labels:
-
AAA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 04:45 AM
Romin,
What kind of response you wish to send to the client? to put the client in a specific VLAN for example if s/he gets this error response?
I am not aware about anything like this on the ACS. You can not set authorization decisions based on the failure reason.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 05:28 AM
Thank you Amjad for your response,
My radius client is a firewall with authentication rules,
I need to send RADIUS response type "Access-Reject" with a radius attribute (for exemple i can use the RADIUS-IETF "state" attribute)
If the ACS is not able to take decision based on the LDAP failure reason my solution seems not feasible
Romain,

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 05:48 AM
Romain,
Are you trying to locked down disabled users on AD/LDAP to a specific group policy on ASA that has no access to vpn with the help of ACS? If that's what you're trying to accomplish than this can be done alone with ASA and LDAP without ACS. Please correct, if I am wrong.
Jatin Katyal
- Do rate helpful posts -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2013 06:18 AM
No, is not so easy, my firewall is a checkpoint firewall and i need ACS because I have to authenticate 2 different populations in 2 different identity store.
My objective is to generate different errors on fw authentication page if the account user is disable or expired or the login&pwd is invalid.
Romain,
