Cisco Asa Error Authorization Server Not Responding
Contents |
the user initiates a connection to the ASA. The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server. The cisco asa authentication server not responding ASA connects to the LDAP server with the credentials configured on the
Cisco Asa Ldap Authentication Server Not Responding
ASA (ASAusername in this case), and looks up the user provided username. The ASAusername user must have the appropriate credentials to cisco asa authorization radius list contents within Active Directory. If the username is found, the ASA attempts to bind to the LDAP server with the credentials that the user provided at
Authentication Server Not Responding: No Error
login. If the second bind is successful, authentication succeeds and the the ASA processes the attributes of the user. For step two, we need to configure the username which the ASA will authenticate to the Microsoft Active Directory/LDAP server. ASA Configuration In global configuration mode: ldap attribute-map AD-VPN-GROUP map-name memberOf IETF-Radius-Class* map-value memberOf "CN=example-group-containing-the-ldap-login-dn username,OU=Security Groups, unable to read rootdse. can't contact ldap server " VPNName aaa-server example protocol ldap aaa-server example (Inside) host 172.16.0.1 ldap-base-dn dc=example,dc=com,dc=au ldap-scope subtree ldap-naming-attribute SAMAccountName ldap-login-password ***** ldap-login-dn ASAusername@example.com.au ldap-attribute-map AD-VPN-GROUP *IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)—Sets the group policy based on the directory department or user group (for example, Microsoft Active Directory memberOf) attribute value. The group policy attribute replaced the IETF-Radius-Class attribute with ASDM version 6.2/ASA version 8.2 or later. Finally, to apply it to the VPN: tunnel-group example tunnel-group example general-attributes authorization-server-group AD-VPN-GROUP Confirming Changes You can use ‘debug ldap 0-255′ to output the information the ASA sends/receives followed by issuing the test aaa-server command. Output from ‘debug ldap' with everything wrok HomeASA# test aaa-server authentication example host 172.16.0.1 username ASAusername password LDAPpassword INFO: Attempting Authentication test to IP address <172.16.19.1> (timeout: 12 seconds) INFO: Authentication Successful Lets take a more detailed look by using debug ldap 255. INFO: Attempting Authentication test to IP address <172.16.0.1> (timeout: 12 seconds) [9228] Session Start [9228] New request Session, context 0xcb3fe8
unanswered posts View active topics View new posts View your posts ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE. Post a reply 9 posts Page 1 of 1 Mowen New Member Posts: 18 Joined: Wed Jul 01, 2009 8:00
Cisco Asa Error Authentication Server Not Responding
am Remote VPN using AD Auth via LDAP Fri Oct 23, 2009 6:26 am Hi.Im
Authentication Server Not Responding No Response From Server
about to change the authortization we use for remote vpn users - Today we use local users on the firewall and wants to asa ldap authentication the users to be authorized by AD via LDAP.I have found a few guides from Cisco, but I have a few questions... Is it required to create an attribute map to make it work? And I wonder if http://tsbates.com/networking/using-microsoft-active-directoryldap-vpn-authentication/ the firewall is case sensative, for instance: CN = cn ?As it is now I've tried to add this to our firewall config:aaa-server LDAP-AUTH protocol ldapaaa-server LDAP-AUTH (inside) host xxx.xxx.xxx.xxx ldap-base-dn dc=ITMASTERS,dc=local ldap-scope subtree ldap-login-password * ldap-login-dn CN=mow,CN=Users=,DC=ITMASTERS,DC=local server-type microsoftThe x's is the ip of our DC and mow being my username. (Our DC is a SBS).I've also created the tunnel-group where the authorization-server-group is set to LDAP-AUTH.When I try the "Test" button I got http://networking-forum.com/viewtopic.php?t=14030 when connecting through ASDM, I get the following error: ERROR: Authorization Server not responding: AAA Server has been removed.And yes, I can ping the DC from the fw and the other way around. Maybe some user or password issue? Though I should have all rights etc.UPDATE: I tried to remove the password and the test again, and this time I get a new error.... ERROR: Authorization rejected: Memory error. Same happens if I replace mow with administrator.And this is my output if I use "sh aaa-server protocol ldap" command:Server Group: LDAP-AUTHServer Protocol: ldapServer Address: xxx.xxx.xxx.xxxServer port: 0Server status: ACTIVE, Last transaction at unknownNumber of pending requests 0Average round trip time 0msNumber of authentication requests 1Number of authorization requests 9Number of accounting requests 0Number of retransmissions 0Number of accepts 0Number of rejects 5Number of challenges 0Number of malformed responses 0Number of bad authenticators 0Number of timeouts 5Number of unrecognized responses 0Once again, the x's is the ip of my DC.Anyone got any ideas? Im pretty lost here... Thanks in advance! Dinger Post Whore Posts: 1397 Joined: Fri Apr 25, 2008 2:16 pm Certs: CCNP, CCNA:Sec, MCSE Re: Remote VPN using AD Auth via LDAP Fri Oct 23, 2009 7:48 am Is it a requirement that you auth via LDAP directly? I'm authing VPN users against a RADIUS server (Windows IAS), which handles all the LDAP stuff
for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Ask a Question Ask for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways https://www.experts-exchange.com/questions/27389954/Cisco-ASA5510-ldap-radius-not-working-to-inside-server.html to Get Help Expand Search Submit Close Search Login Join Today Products BackProducts Gigs Live Careers Vendor Services Groups Website Testing Store Headlines Experts Exchange > Questions > Cisco ASA5510 - ldap, radius not working to inside server Want to Advertise Here? Solved Cisco ASA5510 - ldap, radius not working to inside server Posted on 2011-10-10 Cisco Hardware Firewalls 1 Verified Solution 7 Comments 4,035 Views Last Modified: 2012-05-12 server not This seems to be an access-list issue more than Windows, LDAP, or RADIUS. If I run a "test aaa-server authentication my_aaa", I am getting ERROR: Authentication Server not responding: AAA Server has been removed If I packet-trace ldap and radius, either from the Windows server to the ASA or from ASA to Windows, the packet is dropped on the inside interface implicit rule. I even went so far as to server not responding add an ACL on the inside interface "permit ip any host 192.168.1.1" and I still get the implicit drop on the inside interface. Any thoughts? 0 Question by:snowdog_2112 Facebook Twitter LinkedIn Google Active 1 day ago Best Solution bysnowdog_2112 I found one issue, which I don't think should have given me the error on the test aaa-server, but it's working now. The ldap-naming-attribute was mis-typed as "aAMAccountname" instead of "sAMAccountName". Go to Solution 7 Comments LVL 10 Overall: Level 10 Cisco 4 Hardware Firewalls 3 Message Expert Comment by:Sorenson2011-10-11 can you post a sanitized config of the asa? 0 LVL 7 Overall: Level 7 Cisco 4 Hardware Firewalls 4 Message Expert Comment by:Boilermaker852011-10-11 at the asa console. issue "show aaa-server". If it shows as FAILED, then you must reactivate it before it will use it again. First, can you ping the Radius from the ASA (assuming you have icmp enabled on the inside i/f)? If so, then you can proceed to reactivate the aaa-server on the asa. aaa-server ACS active host a.b.c.d where a.b.c.d is the address of the radius server. 0 LVL 7 Overall: Level 7 Cisco 4 Hardware Firewalls 4 Message Expert Comment by:Boilermaker852011-10-11 Oh, I guess I didnt re