cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13927
Views
0
Helpful
1
Comments
TCC_2
Level 10
Level 10

Resolution

The Adaptive Security Appliance (ASA) cannot be configured to check the Active Directory for dial-in permissions or group membership.

The ASA cannot directly query any Microsoft Windows Active Directory attributes. Tthis query, however, can be performed indirectly with a RADIUS server, such as a Microsoft Internet Authentication Service (IAS) or a Cisco Secure ACS that can map user attributes.

Refer to these documents for more information:

You can also run different debug commands in order to troubleshoot the VPN configuration:

  • debug crypto isakmp—This command displays errors during Phase 1.
  • debug crypto ipsec—This command displays errors during Phase 2.

  • debug crypto engine—This command displays information from the crypto engine.

  • clear crypto ipsec sa—This command clears the Phase 2 security associations.
  • debug radius [session | all | user username]—Available in PIX 6.2, this command logs RADIUS session information and the attributes of sent and received RADIUS packets.

  • debug tacacs [session|user ]—Available in PIX 6.3, this command logs TACACS information.

  • debug aaa [authentication|authorization|accounting|internal]—Available in PIX 6.3, this command shows Authentication, Authorization, Accounting (AAA) subsystem information.

Comments
sasuazo
Level 1
Level 1

This is incorrect.  You can, in fact check AD attributes (e.g. group membership) directly from you ASA using LDAP. There is a very good explanation on how to do this here:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: