Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
4
Replies

ACS 5.3 LDAP BindResponse use LDAP Error Codes

romain.r.montoya.external
Level 1
Level 1

‎04-24-2013 02:02 AM - edited ‎03-10-2019 08:21 PM

Hello,

I work on a project with Radius ACS and LDAP identity store,

When I try to authenticate a user with account Disabled or Expired, the LDAP server re-send a bindResponse with specific LDAP Error Codes Example:

LDAP   167       bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1)

In this example “data 533” Indicates an ACCOUNT_DISABLED.

Is it possible to use this LDAP Error Codes in ACS configuration to send to a Radius client specific response with radius attribute?

Thank you in advance

Regards,

Romain

Labels:
0 Helpful
4 Replies 4

Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-24-2013 04:45 AM

Romin,

What kind of response you wish to send to the client? to put the client in a specific VLAN for example if s/he gets this error  response?

I am not aware about anything like this on the ACS. You can not set authorization decisions based on the failure reason.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

romain.r.montoya.external
Level 1
Level 1
In response to Amjad Abdullah

‎04-24-2013 05:28 AM

Thank you Amjad for your response,

My radius client is a firewall with authentication rules,

I need to send RADIUS response type "Access-Reject" with a radius attribute (for exemple i can use the RADIUS-IETF "state" attribute)

If the ACS is not able to take decision based on the LDAP failure reason my solution seems not feasible

Romain,

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎04-24-2013 05:48 AM

Romain,

Are you trying to locked down disabled users on AD/LDAP to a specific group policy on ASA that has no access to vpn with the help of ACS? If that's what you're trying to accomplish than this can be done alone with ASA and LDAP without ACS. Please correct, if I am wrong.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

romain.r.montoya.external
Level 1
Level 1
In response to Jatin Katyal

‎04-24-2013 06:18 AM

No, is not so easy, my firewall is a checkpoint firewall and i need ACS because I have to authenticate 2 different populations in 2 different identity store.

My objective is to generate different errors on fw authentication page if the account user is disable or expired or the login&pwd is invalid.

Romain,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents