cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM

69839
Views
15
Helpful
0
Comments

 

Introduction

How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM

Tip

This month’s reader tip from Syed Khushnud Amer Ali Shah Gilani demonstrates how to test an AAA-server authentication.

test aaa-server [authentication|authorization] <aaa_server_group> [host <name>|<host_ip>] username <user> password <pass>

For example:

ASA# test aaa-server authentication TACGroup username johndoe password cisco123
if authentication is successful (output mentioned below)
INFO: Authentication Successful

if authentication fails (output mentioned below)
ERROR: Authentication Rejected: Unspecified

Authentication Example for LDAP configuration

username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)

username: jennifer = in active directory OU carolco-Users

Michael could NOT login :)

aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
 ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
 server-type auto-detect

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)

Another Scenario

[-2147483610] LDAP Search:
        Base DN = [DC=city,DC=charlottesville,DC=org]
        Filter  = [sAMAccount=sargentm]
        Scope   = [SUBTREE]
[-2147483610] Search result parsing returned failure status
[-2147483610] Fiber exit Tx=308 bytes Rx=677 bytes, status=-1
[-2147483610] Session End

ERROR: Authentication Rejected: Unspecified

Solution
Replace the below listed command inside the server parameters:

ldap-naming-attribute sAMAccount

With

ldap-naming-attribute sAMAccountName

Note: the sAMAccountName is incorrectly configured.

Reference

Content for Community-Ad