Re: AD account lockout in VPN

asif.blessings · ‎03-07-2011

We are using ASA5520 as our VPN concentrator and has configured IPSec authentication using digital certificates with Microsoft CA for the remote access VPN. The AAA server used for remote user authentication is Windows Active Directory. Screenshot of the AAA configuration is attached. The problem we face is that the "Login DN" account (marked in red box in the screenshot) is frequently getting locked out in the active directory. I have confirmed that the password is the same on both ends and the account is not used any where else.

The NTP server configured for the VPN concentrator is the Active Directory itself but no accounts are configured (not required) for updating the time service in the concentrator.

VPN Client version 5.0.06

Active Directory: Windows Server 2008

Can anyone help me to sort out this issue plz.....

Herbert Baerten · ‎03-18-2011

I don't know AD itself that well so I'm not sure but isn't there a log file somewhere that logs failed authentication attempts?

Other than that, you can enable "debug ldap 255" on the ASA and check if that gives you any clues, i.e. does it show authentication failures?

hth

Herbert

andamani · ‎03-18-2011

Hi,

Your Login Dn is not in the correct format as per the Screenshot. Please ensure is of teh format DN=xxx, DC= yyy.

Also please try and put the login DN as the domain admin account. it should work.

It will great if you can post an error message that you see.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.