Cisco AAA not working
Pash
Member Posts: 1,600 ■■■■■□□□□□
in CCNA & CCENT
aaa-server KB_domain.local host x.x.x.x
kerberos-realm xx-xxxxx.NET
aaa-server LD_domain.local protocol ldap
aaa-server LD_domain.local host x.x.x.x
timeout 10
ldap-base-dn ou=Cisco
ldap-scope onelevel
ldap-naming-attribute uid
ldap-login-password password
ldap-login-dn cisco
6|Sep 18 2008 14:19:12|302014: Teardown TCP connection 1117 for inside:10.129.2.230/389 to NP Identity Ifc:10.129.3.231/1120 duration 0:00:00 bytes 152 TCP FINs
6|Sep 18 2008 14:19:12|113005: AAA user authorization Rejected : reason = Unspecified : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302013: Built outbound TCP connection 1117 for inside:10.129.2.230/389 (10.129.2.230/389) to NP Identity Ifc:10.129.3.231/1120 (10.129.3.231/1120)
6|Sep 18 2008 14:19:12|113004: AAA user authentication Successful : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302015: Built outbound UDP connection 1116 for inside:10.129.2.230/88 (10.129.2.230/8
to NP Identity Ifc:10.129.3.231/1126 (10.129.3.231/1126)
6|Sep 18 2008 14:19:12|609001: Built local-host inside:10.129.2.230
6|Sep 18 2008 14:19:12|609001: Built local-host NP Identity Ifc:10.129.3.231
6|Sep 18 2008 14:19:10|713172: Group = Companyx, IP = xxxxxxxxxx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1115 for outside
xxxxxxxx/1402 (xxxxxxxx/1402) to NP Identity Ifcxxxxxxx/4500 (xxxxxxxx/4500)
6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1114 for outsidexxxxxxxxxx/1408 (xxxxxxxxxxx/140 to NP Identity Ifcxxxxxxxxxxxx500 (195.14.68.209/500)
6|Sep 18 2008 14:19:10|609001: Built local-host outsidexxxxxxxxx
It seems to authenticate ok but the authorization seems to fail. I cant for the life of me figure out why.
I blanked out public addresses.
Anyone got any suggestions?
Cheers,
kerberos-realm xx-xxxxx.NET
aaa-server LD_domain.local protocol ldap
aaa-server LD_domain.local host x.x.x.x
timeout 10
ldap-base-dn ou=Cisco
ldap-scope onelevel
ldap-naming-attribute uid
ldap-login-password password
ldap-login-dn cisco
6|Sep 18 2008 14:19:12|302014: Teardown TCP connection 1117 for inside:10.129.2.230/389 to NP Identity Ifc:10.129.3.231/1120 duration 0:00:00 bytes 152 TCP FINs
6|Sep 18 2008 14:19:12|113005: AAA user authorization Rejected : reason = Unspecified : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302013: Built outbound TCP connection 1117 for inside:10.129.2.230/389 (10.129.2.230/389) to NP Identity Ifc:10.129.3.231/1120 (10.129.3.231/1120)
6|Sep 18 2008 14:19:12|113004: AAA user authentication Successful : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302015: Built outbound UDP connection 1116 for inside:10.129.2.230/88 (10.129.2.230/8
to NP Identity Ifc:10.129.3.231/1126 (10.129.3.231/1126)6|Sep 18 2008 14:19:12|609001: Built local-host inside:10.129.2.230
6|Sep 18 2008 14:19:12|609001: Built local-host NP Identity Ifc:10.129.3.231
6|Sep 18 2008 14:19:10|713172: Group = Companyx, IP = xxxxxxxxxx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1115 for outside
xxxxxxxx/1402 (xxxxxxxx/1402) to NP Identity Ifcxxxxxxx/4500 (xxxxxxxx/4500)6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1114 for outside
xxxxxxxxxx/1408 (xxxxxxxxxxx/140 to NP Identity Ifcxxxxxxxxxxxx500 (195.14.68.209/500)6|Sep 18 2008 14:19:10|609001: Built local-host outside
xxxxxxxxxIt seems to authenticate ok but the authorization seems to fail. I cant for the life of me figure out why.
I blanked out public addresses.
Anyone got any suggestions?
Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.