Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4568
Views
0
Helpful
4
Replies

Ldap authentication via ssh

lafourchette
Level 1
Level 1

‎07-22-2011 07:51 AM - edited ‎03-10-2019 06:14 PM

Hello,

We just bought a cisco 1921 and i'm trying to identify my users against an LDAP server. I have two problems:

-When I use the test command to test the authentication (test aaa group ...), it only works when the password is in cleartext in the LDAP server.

-When I try to login via ssh to the router, I got this error in my syslog:

Jul 22 13:18:24 10.20.42.3 1465: *Jul 22 11:18:49.255: AAA/BIND(0000002D): Bind i/f

Jul 22 13:18:24 10.20.42.3 1466: *Jul 22 11:18:49.255: AAA/AUTHEN/LOGIN (0000002D): Pick method list 'LDAP_login'

Jul 22 13:18:24 10.20.42.3 1467: *Jul 22 11:18:49.255: LDAP: LDAP: Queuing AAA request 45 for processing

Jul 22 13:18:24 10.20.42.3 1468: *Jul 22 11:18:49.255: LDAP: Received queue event, new AAA request

Jul 22 13:18:24 10.20.42.3 1469: *Jul 22 11:18:49.255: LDAP: LDAP authentication request

Jul 22 13:18:24 10.20.42.3 1470: *Jul 22 11:18:49.255: LDAP: Username/Password sanity check failed!!

Jul 22 13:18:24 10.20.42.3 1471: *Jul 22 11:18:49.255: LDAP: LDAP doesn't suport interactive login

Is there any solution? Or is it just for VPN login?

Labels:
0 Helpful
4 Replies 4

lafourchette
Level 1
Level 1

‎07-27-2011 01:30 AM

Anyone?

0 Helpful

lafourchette
Level 1
Level 1
In response to lafourchette

‎08-22-2011 02:38 AM

Really? Nobody ever tried to authenticate via LDAP?

0 Helpful

Andrew Norman
Level 1
Level 1

‎10-27-2011 04:27 AM

I have agonised over this my self.

It seems ldap can only authenticate using PAP

Set your client to PAP only and it works

Check this, using chap:

*Oct 27 11:33:27.875: LDAP: LDAP authentication request

*Oct 27 11:33:27.875: LDAP: Username/Password sanity check failed!!

*Oct 27 11:33:27.875: LDAP: Notifying AAA: REQUEST FAILED

And then using PAP:

*Oct 27 11:35:06.987: LDAP: LDAP Messages to be processed: 1
*Oct 27 11:35:06.987: LDAP: LDAP Message type: 97
*Oct 27 11:35:06.987: LDAP: Got ldap transaction context from reqid 47ldap_parse_result
*Oct 27 11:35:06.987: LDAP: resultCode:    0     (Success)
*Oct 27 11:35:06.987: LDAP: Received Bind Responseldap_parse_result
*Oct 27 11:35:06.987: LDAP: Ldap Result Msg: SUCCESS, Result code =0
*Oct 27 11:35:06.987: LDAP: LDAP Bind successful for DN:CN=***********,CN=******,DC=****,DC=com
*Oct 27 11:35:06.987: LDAP: * LDAP PASSWORD VERIFY DONE *
*Oct 27 11:35:06.987: LDAP: Next Task: All authentication task completed
*Oct 27 11:35:06.987: LDAP: Transaction context removed from list [ldap reqid=47]
*Oct 27 11:35:06.987: LDAP: * * AUTHENTICATION COMPLETED SUCCESSFULLY * *
*Oct 27 11:35:06.987: LDAP: Notifying AAA: REQUEST SUCCESSldap_msgfree
ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_err2string

*Oct 27 11:35:06.987: LDAP: Finished processing ldap msg, Result:Success
*Oct 27 11:35:06.995: %IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access3
*Oct 27 11:35:06.999: LDAP: Received socket event
*Oct 27 11:35:07.007: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Oct 27 11:35:07.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

0 Helpful

autoko1@3
Level 1
Level 1
In response to Andrew Norman

‎03-28-2018 08:07 PM

How do you set it to PAP only?

0 Helpful
Customers Also Viewed These Support Documents