Playing around with LDAP authentication...

millworxmillworx Member Posts: 290
So last week I was playing around with and learning Cisco ACS and Radius Authentication on my ASA.

This week I'm trying to figure out LDAP authentication on my ASA.

I setup a test AD Win2k3 Server and configured my ASA as follows:
aaa-server AD-SERVER protocol ldap
aaa-server AD-SERVER (inside) host 10.33.85.177
 ldap-base-dn DC=test, DC=internal
 ldap-group-base-dn CN=Users, DC=test, DC=internal
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator, CN=Users, DC=test, DC=internal
 server-type microsoft

Everything looks good, my asa can ping the AD server. But I run a test aaa-server authentication against it and I just keep getting the following output.
INFO: Attempting Authentication test to IP address <10.33.85.177> (timeout: 12 seconds)
ERROR: Authentication Rejected: User was not found

I'm not sure what exactly the problem is. Perhaps my ldap configuration is wrong? Everything in AD is setup standard out of the box, my domain is test.internal. Any thoughts?
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide

Comments

  • millworxmillworx Member Posts: 290
    Gahhh Scratch this post. It just hit me in the face.
    My ldap-base-dn statement I forgot to include CN=Users

    It's amazing how just posting to this forum helps me solve my problem before I get responses. haha
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • ITdudeITdude Member Posts: 1,183
    millworx wrote: »
    aaa-server AD-SERVER protocol ldap
    aaa-server AD-SERVER (inside) host 10.33.85.177
    [COLOR=red] ldap-base-dn DC=test, DC=internal[/COLOR]
     ldap-group-base-dn CN=Users, DC=test, DC=internal
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn CN=Administrator, CN=Users, DC=test, DC=internal
     server-type microsoft
    

    Everything looks good, my asa can ping the AD server. But I run a test aaa-server authentication against it and I just keep getting the following output.
    INFO: Attempting Authentication test to IP address <10.33.85.177> (timeout: 12 seconds)
    ERROR: Authentication Rejected: User was not found
    

    I'm not sure what exactly the problem is. Perhaps my ldap configuration is wrong? Everything in AD is setup standard out of the box, my domain is test.internal. Any thoughts?


    I was just about to highlight the above and then saw your answer to your question. icon_wink.gif:)
    I usually hang out on 224.0.0.10 (FF02::A) and 224.0.0.5 (FF02::5) when I'm in a non-proprietary mood.

    __________________________________________
    Simplicity is the ultimate sophistication.
    (Leonardo da Vinci)
Sign In or Register to comment.