cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6500
Views
0
Helpful
3
Replies

ACS 5.1---AD Authentication VS LDAP

cuellar52
Level 1
Level 1

Any help on this subject would be great

I can manage to get my account logging into the cisco switch throught the Active Directory setup in external Idenity stores but not my LDAP setup here are some logs from the successful log in and unsuccessful log in with ldap.

AD-SETUP

Selected Identity Store - AD1
Current Identity Store does not support the authentication method; Skipping it.
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Identity Policy was evaluated before; Identity Sequence continuing
Authenticating user against Active Directory
User's Groups retrieval from Active Directory succeeded
User authentication against Active Directory succeeded
Authentication Passed


Access Policy
Access Service:
Default Device Admin
Identity Store:
AD1
Selected Shell Profile:
Privilege Mode
Active Directory Domain:
Blah.com
Identity Group:
Access Service Selection Matched Rule :
Rule-2
Identity Policy Matched Rule:
Default
Selected Identity Stores:
AD1
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Rule-1


The only issue with this setup is that i can only add the domain example blah.com and i get massive latency occuring since the authentication process goes over state to other domain controllers instead of the local ones.

I can tell from the AAA STATUS in monitoring DASHBOARD cause the Latency is around 8000ms, and the slow log in on the switch.

LDAP-SETUP

In my LDAP setup i point a primary and secondary hostname closer to home to avoid latency i do a bind test which returns successful on both hosts. Setup my directory Orgainzation Tab and do a test configuration get a return of Group > 100 Subject >100.

I reset my indenities stores to LDAP instead of AD and try again, but for some reason i get error 22056 subject not found! i just can't work this out here are the details

Matched rule
Selected Access Service - Default Device Admin
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store -
Current Identity Store does not support the authentication method; Skipping it.
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Identity Policy was evaluated before; Identity Sequence continuing
Sending request to primary LDAP server
Authenticating user against LDAP Server
User search ended with an error
Primary server failover. Switching to secondary server
Sending request to secondary LDAP server
Authenticating user against LDAP Server
User not found in LDAP Server
Subject not found in the applicable identity store(s).
The advanced option that is configured for an unknown user is used.
The 'Reject' advanced option is configured in case of a failed authentication request.
Returned TACACS+ Authentication Reply


Is there any ideas what i can try so it can find my account like the AD structure did? ideas please?

cheers

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10


HI Ed,

Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure.  Verify base DN used for searches matches
structure.

Regards,
~JG

Do rate helpful posts

View solution in original post

3 Replies 3

Jagdeep Gambhir
Level 10
Level 10


HI Ed,

Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure.  Verify base DN used for searches matches
structure.

Regards,
~JG

Do rate helpful posts

Hi JG,

Thanks for replying to my post, I am currently using Softerra LDAP adminsitrator software to verify the base DN structure. I now run the test configuration button and i get a return of 1 Group and 1 subject which is correct for the settings i have choosen.

So LDAP is now seeing my group and seeing my AD user but i still have the same problem when trying to log into my network device. The user is not found?

can you help with anything else i might need to check JG this is driving me and everyone else in the office up the wall   let me know if you would like some screenshots.

Regards

Ed 

cuellar52
Level 1
Level 1

Problem fixed, very annoying LDAP setup. had to change CN to sAMAccountName to get this working, cheers!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: