LDAP group with multiple servers

jslusher11 · ‎05-11-2016

I have an ASA using a AAA LDAP server group for SSH login. In the AAA LDAP server group there are two servers, each communicating with a different domain.

If I have server1 identified first in the list, a login on that server's domain (domain1) is successful.

If i have server2 identified first, a login on that server's domain (domain2) is successful.

If I have server1 identified first, a login on domain2 is not successful even though server2 is listed just after server1 in the group. Same thing happens if I try to use a domain1 account if server2 is listed first.

If server1 is offline and listed as primary then I can login with credentials on domain2 but not if server1 is online.

Is there a way to have the ASA check server2 if authentication with server1 fails?

jan.nielsen · ‎05-12-2016

You need a radius server to help you do this, most radius servers can search the AD and if the user doesn't actually exist in the first AD, it will continue to the next. The ASA can't do this on it's own, as the first server is still online, and sends a reject when the user is not found, which the ASA interprets as "that user should not get access", which is why it works, when the first server is offline, which is interpreted by the asa as aaa server down, move on to next server.

jslusher11 · ‎05-12-2016

Makes sense. Thanks for the help. I wasn't sure if I was doing something wrong or just uncertain on how it all works.