Resolution
The Adaptive Security Appliance (ASA) cannot be configured to check the Active Directory for dial-in permissions or group membership.
The ASA cannot directly query any Microsoft Windows Active Directory attributes. Tthis query, however, can be performed indirectly with a RADIUS server, such as a Microsoft Internet Authentication Service (IAS) or a Cisco Secure ACS that can map user attributes.
Refer to these documents for more information:
You can also run different debug commands in order to troubleshoot the VPN configuration:
- debug crypto isakmp—This command displays errors during Phase 1.
debug crypto ipsec—This command displays errors during Phase 2.
debug crypto engine—This command displays information from the crypto engine.
- clear crypto ipsec sa—This command clears the Phase 2 security associations.
debug radius [session | all | user username]—Available in PIX 6.2, this command logs RADIUS session information and the attributes of sent and received RADIUS packets.
debug tacacs [session|user ]—Available in PIX 6.3, this command logs TACACS information.
debug aaa [authentication|authorization|accounting|internal]—Available in PIX 6.3, this command shows Authentication, Authorization, Accounting (AAA) subsystem information.