Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10709
Views
39
Helpful
8
Replies

Cisco ASA 5510 and Windows 2008 LDAP

fb_webuser
Level 6
Level 6

‎11-16-2011 10:23 AM

hi!

I have working config for 2003 server:

aaa-server DC1 protocol ldap

aaa-server DC1 (inside) host 172.25.29.9

ldap-base-dn DC=KIEV,DC=CC

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=ASA_LDAP,OU=aides,OU=IT,DC=KIEV,DC=CC

server-type auto-detect

ldap-attribute-map LDAPVPNMAP

But when i created another aaa-server DC2 with the same config (different ip and name only), which is running under 2008 Server, i've got at debug:

Session Start

New request Session, context 0xd7c23870, reqType = Authentication

Fiber started

Creating LDAP context with uri=ldap://172.25.29.8:389

Connect to LDAP server: ldap://172.25.29.8:389, status = Successful

supportedLDAPVersion: value = 3

supportedLDAPVersion: value = 2

Binding as ASA_LDAP

Performing Simple authentication for ASA_LDAP to 172.25.29.8

Simple authentication for ASA_LDAP returned code (49) Invalid credentials

Failed to bind as administrator returned code (-1) Can't contact LDAP server

Fiber exit Tx=201 bytes Rx=601 bytes, status=-2

Session End

FW01# test aaa-server authentication DC2

Server IP Address or name: 172.25.29.8

Username: aleksandr.pekurovsky

Password: **********

INFO: Attempting Authentication test to IP address <172.25.29.8> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed

---
Posted by WebUser Aleksandr Pekurovsky

1 person had this problem
Labels:
0 Helpful
8 Replies 8

peymaan25
Level 1
Level 1

‎02-02-2012 10:12 AM

the same problem here, even if u install Win2008 with Functional Level of 2003 i got the same error :

INFO: Attempting Authentication test to IP address <192.168.28.10> (timeout: 12 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

any idea?

0 Helpful

terrancewbennett
Level 1
Level 1
In response to peymaan25

‎02-08-2012 11:56 AM

Same problem here

 

Below is my debug data, this user is defind in the ASA login_DN as CN=CISCOVPN ASA5520, CN=USERS, DC=VCMAD, DC=OAK, DC=IPARADIGMS, DC=COM

vpn1# [13238] Session End

[13239] Session Start

[13239] New request Session, context 0x748a67a8, reqType = Authentication

[13239] Fiber started

[13239] Creating LDAP context with uri=ldap://10.35.2.18:389

[13239] Connect to LDAP server:

ldap://10.35.2.18:389

, status = Successful

[13239] supportedLDAPVersion: value = 3

[13239] supportedLDAPVersion: value = 2

[13239] Binding as ciscovpn asa5520

[13239] Performing Simple authentication for ciscovpn asa5520 to 10.35.2.18

[13239] Simple authentication for ciscovpn asa5520 returned code (49) Invalid credentials

[13239] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[13239] Fiber exit Tx=238 bytes Rx=586 bytes, status=-2

[13239] Session End

Hope you can help....

0 Helpful

mainul_haque
Level 1
Level 1
In response to terrancewbennett

‎05-24-2016 12:08 PM

I received the same error message. I am using Microsoft Windows 2008 r2 as my ldap server.

I was able to resolve my issue by putting everything is lower case and putting a space between dc and cn. See working config below:

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.x.x
ldap-base-dn dc=hc, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=ldap, cn=users, dc=hc, dc=local
server-type microsoft

0 Helpful

terrancewbennett
Level 1
Level 1
In response to peymaan25

‎02-09-2012 06:48 PM

Just in case you are still having this problem I have been able to get the process to work by:

First off using an OU in the ldap-login-dn did not work and the settings above did not work either as you see. What I did was used:

ldap-login-dn CN=user name,CN=Users (anything outside of the default user group did not work for me), from the point on I use the valid base DN to complete the string.

I had to ensure the "user name" was in the default USERS group and had the correct PW.

If anyone has the answer to why using an OU in the ldap-login-dn= I would like to hear from you...

Good Luck

0 Helpful

NeverOutofTune
Level 1
Level 1
In response to terrancewbennett

‎10-24-2012 06:03 PM

To get a configuration working, I had to enter my OUs deepest level first.

Tree Structure

MyDomain.local

     MyBusiness

          Users

               SBSUsers

                    My Name

Login DN:  CN=My Name, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=MyDomain, DC=local

0 Helpful

scott spangle
Level 1
Level 1

‎04-05-2016 01:48 PM

I had this same problem.  I resolved it by changing to ldap-login-dn line.

ldap-login-dn user@domain.com

RAFAEL LOPEZ
Level 1
Level 1
In response to scott spangle

‎05-02-2016 01:23 PM

same problem,

usefull commands

debug ldap 225

and "scott pangle" thats black magic! it works !!!

user@pu.local for me works !!!!

my coworker said that its the same way that the cucm is integrated with ldap, maybe the documentation could be fixed for this...

0 Helpful

Chess Wei
Level 1
Level 1
In response to scott spangle

‎07-30-2019 12:03 AM

Thank you helpful 

0 Helpful
Customers Also Viewed These Support Documents