Hi

for your reply.

see debug log

test aaa-server authentication LDAPGROUP host 10.0.1.30 username "user" password "password"
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)

[1173] Session Start
[1173] New request Session, context 0xd81ffa30, reqType = Authentication
[1173] Fiber started
[1173] Creating LDAP context with uri=ldap://10.0.1.30:389
[1173] Connect to LDAP server: ldap://10.0.1.30:389, status = Successful
[1173] supportedLDAPVersion: value = 3
[1173] supportedLDAPVersion: value = 2
[1173] Binding as "user"
[1173] Performing Simple authentication for "user" to 10.0.1.30
[1173] LDAP Search:
        Base DN = [dc=reseaux,dc=local]
        Filter  = [sAMAccountName="user"]
        Scope   = [SUBTREE]
[1173] Request for "user" returned code (10) Referral
[1173] Fiber exit Tx=290 bytes Rx=669 bytes, status=-1
[1173] Session End
ERROR: Authentication Rejected: Unspecified

what is this error ?

Request for "user" returned code (10) Referral

regards

Frederic

Frederic,

We are hitting a bug,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCsj32153

CSCsj32153            Bug Details

Regards,

~JG

Do rate helpful posts

OK.

but they have no solution ?

my Firewall is in 8.2(2) version.

and an another firewall with same version, i have no problem with ldap authentification.

strange !

regards

frederic

Is that firewall using same LDAP server?

Hi Frederic,

The enhancement is still open.

Regards,

~JG

Do rate helpful posts

hi

Based on your LDAP configuration below,

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 10.0.1.30
server-port 389
ldap-base-dn dc=reseaux,dc=local
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local
server-type microsoft

You have a user account with username "user" under Utilisateurs.reseau.local. You are using this account for ASA to login to AD to authenticate user.

When you ran "test" command, you used username "user" again. But ASA will only search this user account on AD under "reseaux.local".

Do you have a valid account with username "user" under "reseaux.local"?

Due the bug which was mentioned in the previous post, ASA don't support multi-domain search via LDAP refererals. If your authentication on AD does not need across multi-domain, it should work.

yes, i have a valid account with name "user".

this same account can open an windows session directly on server AD

regards

frederic

ok i undestand,

i forget "OU" in ldap-base-dn command

now :

ldap-base-dn OU=Utilisateurs,DC=reseau,DC=local

and it's work.

many thanks Yudong Wu

regards

Frederic