Cisco ASA5510 - ldap, radius not working to inside server

Posted on 2011-10-10
Last Modified: 2012-05-12
This seems to be an access-list issue more than Windows, LDAP, or RADIUS.

If I run a "test aaa-server authentication my_aaa", I am getting
ERROR: Authentication Server not responding: AAA Server has been removed

If I packet-trace ldap and radius, either from the Windows server to the ASA or from ASA to Windows, the packet is dropped on the inside interface implicit rule.

I even went so far as to add an ACL on the inside interface "permit ip any host" and I still get the implicit drop on the inside interface.

Any thoughts?
Question by:snowdog_2112
    LVL 10

    Expert Comment

    can you post a sanitized config of the asa?
    LVL 7

    Expert Comment

    at the asa console. issue "show aaa-server". If it shows as FAILED, then you must reactivate it before it will use it again. First, can you ping the Radius from the ASA (assuming you have icmp enabled on the inside i/f)? If so, then you can proceed to reactivate the aaa-server on the asa.
    aaa-server ACS active host a.b.c.d   where a.b.c.d is the address of the radius server.
    LVL 7

    Expert Comment

    Oh, I guess I didnt read all of your comments. It appears you might have another problem. Is there a route to the AAA-server via the inside interface?
    LVL 7

    Expert Comment

    do your aaa statements resemble this?:
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server ACS protocol tacacs+
    aaa-server ACS (INSIDE) host
    aaa-server ACS (INSIDE) host
    aaa authentication http console ACS LOCAL
    aaa authentication telnet console ACS LOCAL
    aaa authentication ssh console ACS LOCAL
    aaa authentication enable console ACS LOCAL

    Author Comment

    There is no route to the LDAP on the inside since it's on the same segment/subnet as the inside interface (inside:, LDAP:

    aaa-server inside_ldap protocol ldap
    aaa-server inside_ldap host
    ldap-base-dn CN=users,DC=my-domain,DC=com
    ldap-scope subtree
    ldap-naming-attribute aAMAccountName
    ldap-login-password xxxxxx
    ldap-login-dn CN=ldap-user,CN=users,DC=my-domain,DC=com
    server-type microsoft

    Accepted Solution

    I found one issue, which I don't think should have given me the error on the test aaa-server, but it's working now.  The ldap-naming-attribute was mis-typed as "aAMAccountname" instead of "sAMAccountName".

    I may have made other changes in between, so I'm not certain this was the fix, but I can mark this solved.

    Now, if anyone knows how to get Windows 7 64-bit to connect to this ASA using the built-in Windows l2tp/ipsec client, I'd be eternally (and 500pts) grateful.

    Author Closing Comment

    I can test the aaa-server and the Cisco client submits the LDAP query and will log on - so, I'm calling this "fixed".  On to why a Windows client won't cause the ASA to submit the LDAP request...always something with these Cisco's.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now