Cisco ASA - Microsoft LDAP authentication

Pavel Pokorny · ‎03-19-2012

Dear all,

I have configured ASA as a client for LDAP authentication when remote access vpn is in use.

Almost everything works fine. I mean, I can login to network, I can get some attributes located in LDAP, etc.

But I have met problem.

When login name is in format : login-name only, everything works fine.

When login name is in format : domain\login-name, everything crashes

test aaa-server authentication LDAP-AD host 192.168.1.4 username help password xxxx

INFO: Attempting Authentication test to IP address <192.168.1.4> (timeout: 12 seconds)

[9064] Session Start

[9064] New request Session, context 0x749ad428, reqType = Authentication

[9064] Fiber started

[9064] Creating LDAP context with uri=ldaps://192.168.1.4:636

[9064] Connect to LDAP server: ldaps://192.168.1.4:636, status = Successful

[9064] supportedLDAPVersion: value = 3

[9064] supportedLDAPVersion: value = 2

[9064] Binding as pokus

[9064] Performing Simple authentication for pokus to 192.168.1.4

[9064] LDAP Search:

Base DN = [dc=domain,dc=local]

Filter = [sAMAccountName=domain\\help]

Scope = [SUBTREE]

[9064] User domain\help not found

[9064] Fiber exit Tx=302 bytes Rx=790 bytes, status=-1

[9064] Session End

ERROR: Authentication Rejected: User was not found

Did anyone met this situation? And does anybody know, how to handle, with this?

Thanks

Joseph.Rehling · ‎05-16-2012

I believe the filter line is the issue. sAMAccountName will not have \. Just the user name. In the naming attributes field all you should have in that block is samaccountname and nothing more. When you log in, you don't specify a domain. If you want to specify a domain, you need to use a different field. Since no field in AD has \ I don't know how you could correct that. I believe userPrincipalName is the closest attribute you could try, though that would use @...