Cisco AAA not working

PashPash Member Posts: 1,600 ■■■■■□□□□□
aaa-server KB_domain.local host x.x.x.x
kerberos-realm xx-xxxxx.NET
aaa-server LD_domain.local protocol ldap
aaa-server LD_domain.local host x.x.x.x
timeout 10
ldap-base-dn ou=Cisco
ldap-scope onelevel
ldap-naming-attribute uid
ldap-login-password password
ldap-login-dn cisco




6|Sep 18 2008 14:19:12|302014: Teardown TCP connection 1117 for inside:10.129.2.230/389 to NP Identity Ifc:10.129.3.231/1120 duration 0:00:00 bytes 152 TCP FINs
6|Sep 18 2008 14:19:12|113005: AAA user authorization Rejected : reason = Unspecified : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302013: Built outbound TCP connection 1117 for inside:10.129.2.230/389 (10.129.2.230/389) to NP Identity Ifc:10.129.3.231/1120 (10.129.3.231/1120)
6|Sep 18 2008 14:19:12|113004: AAA user authentication Successful : server = 10.129.2.230 : user = mcdoormat
6|Sep 18 2008 14:19:12|302015: Built outbound UDP connection 1116 for inside:10.129.2.230/88 (10.129.2.230/8icon_cool.gif to NP Identity Ifc:10.129.3.231/1126 (10.129.3.231/1126)
6|Sep 18 2008 14:19:12|609001: Built local-host inside:10.129.2.230
6|Sep 18 2008 14:19:12|609001: Built local-host NP Identity Ifc:10.129.3.231
6|Sep 18 2008 14:19:10|713172: Group = Companyx, IP = xxxxxxxxxx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1115 for outsideicon_mad.gifxxxxxxxx/1402 (xxxxxxxx/1402) to NP Identity Ifcicon_mad.gifxxxxxxx/4500 (xxxxxxxx/4500)
6|Sep 18 2008 14:19:10|302015: Built inbound UDP connection 1114 for outsideicon_mad.gifxxxxxxxxxx/1408 (xxxxxxxxxxx/140icon_cool.gif to NP Identity Ifcicon_mad.gifxxxxxxxxxxxx500 (195.14.68.209/500)
6|Sep 18 2008 14:19:10|609001: Built local-host outsideicon_mad.gifxxxxxxxxx

It seems to authenticate ok but the authorization seems to fail. I cant for the life of me figure out why.

I blanked out public addresses.

Anyone got any suggestions?

Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Sign In or Register to comment.