Hi ChristopherGDay ,
I have the same problem as jlmickens but unfortunately I can't make your solution work. Could you take a look at my config and debug log to see if you find Something ?
ldap attribute-map VPNUSERSGROUP map-name memberOf IETF-Radius-Service-Type map-value memberOf memberOf CN=VPNUSERS,OU=Multi-site,OU=Permissions,OU=Groups,OU=VMG,DC=ad,DC=mydomain,DC=com
aaa-server VMG_LDAP protocol ldap aaa-server VMG_LDAP (VRFPrivate) host 192.168.110.11 ldap-base-dn cn=Users,dc=ad,dc=mydomain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cvl-asa-5505-f1@ad.mydomain.com sasl-mechanism digest-md5 server-type microsoft ldap-attribute-map VPNUSERSGROUP
group-policy ikev2-policy internal group-policy ikev2-policy attributes vpn-tunnel-protocol ikev2 group-policy VPNUSERSPOLICY internal group-policy VPNUSERSPOLICY attributes wins-server none dns-server value 192.168.110.11 192.168.110.6 vpn-filter value VPNUSERS vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLITTUNNEL default-domain value ad.mydomain.com
tunnel-group VPNUSERS type remote-access tunnel-group VPNUSERS general-attributes address-pool VPNPOOL authentication-server-group VMG_LDAP default-group-policy VPNUSERSPOLICY tunnel-group VPNUSERS webvpn-attributes group-alias VPNUSERS enable
If I remove the line "authentication-server-group VMG_LDAP" everything works perfectly (with a local used). But as soon as I add it, I can't authenticate. Here is the debug I get:
# test aaa-server authentication VMG_LDAP host 192.168.110.11 username CVL-ASA-5505-F1 password ********
INFO: Attempting Authentication test to IP address <192.168.110.11> (timeout: 12 seconds)
[-2147483609] Session Start [-2147483609] New request Session, context 0xcea9b458, reqType = Authentication [-2147483609] Fiber started [-2147483609] Creating LDAP context with uri=ldap://192.168.110.11:389 [-2147483609] Connect to LDAP server: ldap://192.168.110.11:389, status = Successful [-2147483609] supportedLDAPVersion: value = 3 [-2147483609] supportedLDAPVersion: value = 2 [-2147483609] Binding as cvl-asa-5505-f1@ad.mydomain.com [-2147483609] Performing SASL authentication for cvl-asa-5505-f1@ad.mydomain.com to 192.168.110.11 [-2147483609] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 [-2147483609] hostname = 192.168.110.11 [-2147483609] SASL authentication start with mechanism DIGEST-MD5 for cvl-asa-5505-f1@ad.mydomain.com [-2147483609] getsimple:4002 [cvl-asa-5505-f1@ad.mydomain.com] [-2147483609] getsimple:4001 [cvl-asa-5505-f1@ad.mydomain.com] [-2147483609] getsecret: [**************] [-2147483609] SASL step for cvl-asa-5505-f1@ad.mydomain.com returned code (1) another step is needed in authentication [-2147483609] SASL authentication for cvl-asa-5505-f1@ad.mydomain.com with mechanism DIGEST-MD5 rejected [-2147483609] Failed to bind as administrator returned code (-1) Can't contact LDAP server [-2147483609] Fiber exit Tx=638 bytes Rx=1003 bytes, status=-2 [-2147483609] Session End ERROR: Authentication Server not responding: AAA Server has been removed
Any idea ?
Any help would be greatly appreciated. Thanks
... View more
