• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4934
  • Last Modified:

Cisco ASA5510 - ldap, radius not working to inside server

This seems to be an access-list issue more than Windows, LDAP, or RADIUS.

If I run a "test aaa-server authentication my_aaa", I am getting
ERROR: Authentication Server not responding: AAA Server has been removed

If I packet-trace ldap and radius, either from the Windows server to the ASA or from ASA to Windows, the packet is dropped on the inside interface implicit rule.

I even went so far as to add an ACL on the inside interface "permit ip any host 192.168.1.1" and I still get the implicit drop on the inside interface.

Any thoughts?
0
snowdog_2112
Asked:
snowdog_2112
  • 3
  • 3
1 Solution
 
SorensonCommented:
can you post a sanitized config of the asa?
0
 
Boilermaker85Commented:
at the asa console. issue "show aaa-server". If it shows as FAILED, then you must reactivate it before it will use it again. First, can you ping the Radius from the ASA (assuming you have icmp enabled on the inside i/f)? If so, then you can proceed to reactivate the aaa-server on the asa.
aaa-server ACS active host a.b.c.d   where a.b.c.d is the address of the radius server.
0
 
Boilermaker85Commented:
Oh, I guess I didnt read all of your comments. It appears you might have another problem. Is there a route to the AAA-server via the inside interface?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Boilermaker85Commented:
do your aaa statements resemble this?:
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server ACS protocol tacacs+
aaa-server ACS (INSIDE) host 10.0.10.151
aaa-server ACS (INSIDE) host 10.0.10.152
aaa authentication http console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication enable console ACS LOCAL
d
0
 
snowdog_2112Author Commented:
There is no route to the LDAP on the inside since it's on the same segment/subnet as the inside interface (inside: 192.168.1.2, LDAP: 192.168.1.30).

aaa-server inside_ldap protocol ldap
aaa-server inside_ldap host 192.168.1.30
ldap-base-dn CN=users,DC=my-domain,DC=com
ldap-scope subtree
ldap-naming-attribute aAMAccountName
ldap-login-password xxxxxx
ldap-login-dn CN=ldap-user,CN=users,DC=my-domain,DC=com
server-type microsoft
0
 
snowdog_2112Author Commented:
I found one issue, which I don't think should have given me the error on the test aaa-server, but it's working now.  The ldap-naming-attribute was mis-typed as "aAMAccountname" instead of "sAMAccountName".

I may have made other changes in between, so I'm not certain this was the fix, but I can mark this solved.

Now, if anyone knows how to get Windows 7 64-bit to connect to this ASA using the built-in Windows l2tp/ipsec client, I'd be eternally (and 500pts) grateful.
0
 
snowdog_2112Author Commented:
I can test the aaa-server and the Cisco client submits the LDAP query and will log on - so, I'm calling this "fixed".  On to why a Windows client won't cause the ASA to submit the LDAP request...always something with these Cisco's.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now