05-11-2016 12:22 PM - edited 03-10-2019 11:45 PM
I have an ASA using a AAA LDAP server group for SSH login. In the AAA LDAP server group there are two servers, each communicating with a different domain.
If I have server1 identified first in the list, a login on that server's domain (domain1) is successful.
If i have server2 identified first, a login on that server's domain (domain2) is successful.
If I have server1 identified first, a login on domain2 is not successful even though server2 is listed just after server1 in the group. Same thing happens if I try to use a domain1 account if server2 is listed first.
If server1 is offline and listed as primary then I can login with credentials on domain2 but not if server1 is online.
Is there a way to have the ASA check server2 if authentication with server1 fails?
05-12-2016 08:44 AM
You need a radius server to help you do this, most radius servers can search the AD and if the user doesn't actually exist in the first AD, it will continue to the next. The ASA can't do this on it's own, as the first server is still online, and sends a reject when the user is not found, which the ASA interprets as "that user should not get access", which is why it works, when the first server is offline, which is interpreted by the asa as aaa server down, move on to next server.
05-12-2016 10:22 AM
Makes sense. Thanks for the help. I wasn't sure if I was doing something wrong or just uncertain on how it all works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide