03-01-2013 02:50 AM - edited 03-10-2019 08:08 PM
Hello,
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect
users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[-2147483632] Creating LDAP context with uri=ldap://192.168.4.251:389
[-2147483632] Connect to LDAP server: ldap://192.168.4.251:389, status = Successful
[-2147483632] supportedLDAPVersion: value = 3
[-2147483632] supportedLDAPVersion: value = 2
[-2147483632] Binding as XUSERX
[-2147483632] Performing Simple authentication for XUSERX to 192.168.4.251
[-2147483632] Simple authentication for XUSERX returned code (8) Strong(er) authentication required
[-2147483632] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483632] Fiber exit Tx=211 bytes Rx=682 bytes, status=-2
[-2147483632] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
So I've changed the aaa-server configuration in order to use a different method for SASL (digest-MD5),
following the logs:
test aaa-server authentication LDAP_SRV_GRP host 192.168.4.251 usernam$
INFO: Attempting Authentication test to IP address <ipc01> (timeout: 12 seconds)
[-2147483608] Session Start
[-2147483608] New request Session, context 0xade91d2c, reqType = Authentication
[-2147483608] Fiber started
[-2147483608] Creating LDAP context with uri=ldap://192.168.4.251:389
[-2147483608] Connect to LDAP server: ldap://192.168.4.251:389, status = Successful
[-2147483608] supportedLDAPVersion: value = 3
[-2147483608] supportedLDAPVersion: value = 2
[-2147483608] Binding as XUSERX
[-2147483608] Performing SASL authentication for XUSERX to 192.168.4.251
[-2147483608] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
[-2147483608] hostname = 192.168.4.251
[-2147483608] SASL authentication start with mechanism DIGEST-MD5 for XUSERX
[-2147483608] getsimple:4002 [XUSERX]
[-2147483608] getsimple:4001 [XUSERX]
[-2147483608] getsecret: [*********]
[-2147483608] SASL step for XUSERX returned code (1) another step is needed in authentication
[-2147483608] SASL authentication for XUSERX with mechanism DIGEST-MD5 rejected
[-2147483608] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483608] Fiber exit Tx=616 bytes Rx=859 bytes, status=-2
[-2147483608] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
It seems that I made one step forward but not solved the problem.
Could someone give me some suggestions?
Following the aaa-server configuration part:
ipcasa# sh run aaa-server
aaa-server LDAP_SRV_GRP protocol ldap
reactivation-mode depletion deadtime 1
aaa-server LDAP_SRV_GRP (corporate) host ipc01
server-port 389
ldap-base-dn dc=ipc, dc=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn cn=XUSERX, cn=users, dc=ipc, dc=local
sasl-mechanism digest-md5
server-type microsoft
aaa-server LDAP_SRV_GRP (corporate) host 192.168.4.253
server-port 389
ldap-base-dn dc=ipc, dc=it
ldap-scope subtree
ldap-login-password *****
ldap-login-dn cn=XUSERX, cn=users, dc=ipc, dc=local
sasl-mechanism digest-md5
server-type microsoft
aaa-server KRB01 protocol kerberos
aaa-server KRB01 (corporate) host 192.168.4.253
kerberos-realm IPC.LOCAL
Thanks in advance for any suggestions!
Denni
05-11-2015 09:54 AM
Any resolution?
05-12-2015 07:16 AM
I'm pretty sure you need to use LDAP over SSL (port 686 i think), to have that work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide