Found out that it was because

Jun Zheng · ‎02-26-2016

I have setup a IPsec VPN remote access on ASA 5505, and use MS windows client to connect, it worked if I use aaa-server LOCAL for the authentication.

Then I setup the aaa-server using ldap, and run test command with successful return, but when change the Authentication to use LDAP instead of LOCAL for VPN access, the VPN connection failed with authentication error.

Where could go wrong in this case?

Thanks,

Rolando Valenzuela · ‎02-26-2016

I usually do not remove LOCAL, I left it there for fail over, I know you said for VPN access, but for management access I usually set it like this:

aaa authentication ssh console Ldap LOCAL
aaa authentication enable Ldap LOCAL

Can you share the configuration you are changing? have you specified the source interface?

Rolando A. Valenzuela.

Jun Zheng · ‎02-26-2016

Thanks Rolando for your reply.

I also kept LOCAL for fall back, actually I did see the request when show aaa-server LDAP.

I wonder where to check. I will share the configuration on Monday.

Jun Zheng

Jun Zheng · ‎03-09-2016

Found out that it was because the authentication protocol miss match, Cisco ASA only supports PAP when using LDAP Authentication, but PAP uses encrypted password on Windows, therefore, I unchecked PAP when I created the VPN connection.

Why ASA only support PAP? Is there a secured way to establish VPN and using LDAP authentication?

LDAP/AD auth for VPN remote access