ASA 5505 Domain ActiveDirectory Authentication
Hi Experts,
I had our win 2003 Primary domain controller fail and replaced it with win 2008. Changed all DNS entries to new internal IP 10.11.1.8 but cannot get it to authenticate users.
I had our win 2003 Primary domain controller fail and replaced it with win 2008. Changed all DNS entries to new internal IP 10.11.1.8 but cannot get it to authenticate users.
: Saved
:
ASA Version 8.2(1)
hostname VPN1
domain-name xxx.lan
enable password VvJ/jpyTi/fGJsOe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.11.1.201 255.0.0.0
ospf authentication null
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.11.1.8
name-server 10.11.1.9
domain-name xxxx.lan
access-list test_splitTunnelAcl standard permit host 10.11.0.0
access-list test_splitTunnelAcl standard permit host 192.168.0.0
access-list cisco_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.11.1.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.11.1.224 255.255.255.224
access-list cisco_splitTunnelAclstandard standard permit 10.11.0.0 255.255.0.0
access-list test22 extended permit icmp any host 24.60.160.131
access-list test22 extended permit icmp host 24.60.160.131 any
access-list test22 extended permit icmp any 72.163.216.0 255.255.255.0
access-list test22 extended permit icmp 72.163.216.0 255.255.255.0 any
pager lines 24
logging enable
logging list allwarnings level warnings
logging buffered debugging
logging asdm informational
logging from-address vpn@xxx.xxx
logging recipient-address xxx@xxx.xxx level warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteUsersDHCP 10.11.1.230-10.11.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside 10.1.1.8 255.255.255.255 10.11.1.2 1
route inside 10.1.1.9 255.255.255.255 10.11.1.2 1
route inside 10.11.0.0 255.255.0.0 10.11.1.10 1
route inside 192.168.0.0 255.255.0.0 10.11.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Campus protocol nt
reactivation-mode timed
aaa-server Campus (inside) host 10.11.1.8
timeout 5
nt-auth-domain-controller noblesfr
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPointA
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPointB
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=VPN1.nobles.lan,O=Noble and Greenough School,C=US
keypair NoblesVPN
crl configure
crypto ca certificate chain ASDM_TrustPointA
certificate ca 3863def8
3082042a 30820312 a0030201 02020438 63def830 0d06092a 864886f7 0d010105
05003081 b4311430 12060355 040a130b 456e7472 7573742e 6e657431 40303e06
0355040b 14377777 772e656e 74727573 742e6e65 742f4350 535f3230 34382069
6e636f72 702e2062 79207265 662e2028 6c696d69 7473206c 6961622e 29312530
23060355 040b131c 28632920 31393939 20456e74 72757374 2e6e6574 204c696d
69746564 31333031 06035504 03132a45 6e747275 73742e6e 65742043 65727469
66696361 74696f6e 20417574 686f7269 74792028 32303438 29301e17 0d393931
32323431 37353035 315a170d 32393037 32343134 31353132 5a3081b4 31143012
06035504 0a130b45 6e747275 73742e6e 65743140 303e0603 55040b14 37777777
2e656e74 72757374 2e6e6574 2f435053 5f323034 3820696e 636f7270 2e206279
20726566 2e20286c 696d6974 73206c69 61622e29 31253023 06035504 0b131c28
63292031 39393920 456e7472 7573742e 6e657420 4c696d69 74656431 33303106
03550403 132a456e 74727573 742e6e65 74204365 72746966 69636174 696f6e20
41757468 6f726974 79202832 30343829 30820122 300d0609 2a864886 f70d0101
01050003 82010f00 3082010a 02820101 00ad4d4b a91286b2 eaa32007 1516642a
2b4bd1bf 0b4a4d8e ed8076a5 67b77840 c07342c8 68c0db53 2bdd5eb8 76983593
8b1a9d7c 133a0e1f 5bb71ecf e524141e b181a98d 7db8cc6b 4b03f102 0cdcaba5
4024007f 7494a19d 0829b388 0bf58777 9d55cde4 c37ed76a 64ab8514 86955b97
32506f3d c8ba660c e3fcbdb8 49c17689 4919fdc0 a8bd89a3 672fc69f bc711960
b82de92c c9907666 7b94e2af 78d66553 5d3cd69c b2cf2903 f92fa450 b2d448ce
0532558a fdb2644c 0ee49807 75db7fdf b9085560 853029f9 7b48a469 86e3353f
1e865d7a 7a15bdef 008e1522 54170090 2693bc0e 496891bf f847d39d 9542c10e
4ddf6f26 cfc31821 62664370 d6d5c007 e1020301 0001a342 3040300e 0603551d
0f0101ff 04040302 0106300f 0603551d 130101ff 04053003 0101ff30 1d060355
1d0e0416 041455e4 81d11180 bed889b9 08a331f9 a1240916 b970300d 06092a86
4886f70d 01010505 00038201 01003b9b 8f569b30 e753997c 7a79a74d 97d71995
90fb061f ca337c46 638f9666 24fa401b 2127cae6 7273f24f fe3199fd c80c4c68
53c68082 1398fab6 adda5d3d f1ce6ef6 15119482 0cee3f95 af11ab0f d72fde1f
038f572c 1ec9bb9a 1a4495eb 184fa61f cd7d5710 2f9b0409 5a84b56e d81d3ae1
d69ed16c 795e791c 14c5e3d0 4c933b65 3ceddf3d bea6e595 1ac3b519 c3bd5e5b
bbff23ef 6819cb12 93275c03 2d6f30d0 1eb61aac de5af7d1 aaa827a6 fe7981c4
79993357 ba12b0a9 e0426c93 ca56defe 6d840b08 8b7e8dea d79821c6 f3e73c79
2f5e9cd1 4c158de1 ec2237cc 9a430b97 dc80908d b3679b6f 48081556 cfbff12b
7c5e9a76 e95990c5 7c833511 6551
quit
crypto ca certificate chain ASDM_TrustPointB
certificate ca 3863e9fc
308204f2 308203da a0030201 02020438 63e9fc30 0d06092a 864886f7 0d010105
05003081 b4311430 12060355 040a130b 456e7472 7573742e 6e657431 40303e06
0355040b 14377777 772e656e 74727573 742e6e65 742f4350 535f3230 34382069
6e636f72 702e2062 79207265 662e2028 6c696d69 7473206c 6961622e 29312530
23060355 040b131c 28632920 31393939 20456e74 72757374 2e6e6574 204c696d
69746564 31333031 06035504 03132a45 6e747275 73742e6e 65742043 65727469
66696361 74696f6e 20417574 686f7269 74792028 32303438 29301e17 0d303931
32313032 30343335 345a170d 31393132 31303231 31333534 5a3081b1 310b3009
06035504 06130255 53311630 14060355 040a130d 456e7472 7573742c 20496e63
2e313930 37060355 040b1330 7777772e 656e7472 7573742e 6e65742f 72706120
69732069 6e636f72 706f7261 74656420 62792072 65666572 656e6365 311f301d
06035504 0b131628 63292032 30303920 456e7472 7573742c 20496e63 2e312e30
2c060355 04031325 456e7472 75737420 43657274 69666963 6174696f 6e204175
74686f72 69747920 2d204c31 43308201 22300d06 092a8648 86f70d01 01010500
0382010f 00308201 0a028201 010097a3 2d3c9ede 05da13c2 118d9d8e e37fc74b
7e5a9fb3 ff62ab73 c8286bba 10648287 13cd5718 ff28cec0 e60e0691 502983d1
f2c32adb d8db4e04 cc00eb8b b696dcbc aafa5277 04c1db19 e4ae9cfd 3c8b03ef
4dbc1a03 65f9c1b1 3f7286f2 38aa19ae 10887828 da75c33d 0282029c b9c16577
76244c98 f76d3138 fbdbfedb 370276a1 1897a6cc de200949 36246942 f6e43762
f1596da9 3ced349c a38edbdc 3ad7f70a 6fef2ed8 d5935a7a ed084968 e241e35a
90c18655 fc51439d e0b2c467 b4cb3231 25f0549f 4bd16fdb d4ddfcaf 5e6c7890
95deca3a 48b9793c 9b19d675 05a0f988 d7c1e8a5 09e41a15 dc8723aa b2758c63
2587d8f8 3da6c2cc 66ffa566 68550203 010001a3 82010b30 82010730 0e060355
1d0f0101 ff040403 02010630 0f060355 1d130101 ff040530 030101ff 30330608
2b060105 05070101 04273025 30230608 2b060105 05073001 86176874 74703a2f
2f6f6373 702e656e 74727573 742e6e65 74303206 03551d1f 042b3029 3027a025
a0238621 68747470 3a2f2f63 726c2e65 6e747275 73742e6e 65742f32 30343863
612e6372 6c303b06 03551d20 04343032 30300604 551d2000 30283026 06082b06
01050507 0201161a 68747470 3a2f2f77 77772e65 6e747275 73742e6e 65742f72
7061301d 0603551d 0e041604 141ef1ab 8906f849 0f013377 ee147aee 197c9328
4d301f06 03551d23 04183016 801455e4 81d11180 bed889b9 08a331f9 a1240916
b970300d 06092a86 4886f70d 01010505 00038201 010007f6 5f82847f 8040c790
34464224 03ce2fab ba839e25 730dedac 0569c687 eda35cf2 57c1b149 769a4df2
3fdde40e fe0b3eb9 98d93295 1d32f401 ee9cc8c8 e53fe053 7662fcdd ab6d3d94
90f2c0b3 3c982736 5e289722 fc1b40d3 2b0dadb5 576ddf0f e34bef73 021065fa
1bd0ac31 d5e30fe8 ba323083 ee4ad0bf df22907a beec3a1b c449041d f1ae8077
3c4208db a73b28a6 800103e6 39a3ebdf 80591bf3 2cbedc72 4479a06c 07a56d4d
448e4268 ca947c2e 36ba859e cdaac45e 3c54befe 2fea699d 1c1e299b 96d8c8fe
5190f124 a69006b3 f029a2ff 782e775c 4521d944 0031f3be 324ff50a 320dfcfc
ba167656 b2d64892 f28ba63e b7ac5c69 ea0b3f66 45b9
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 4c1c1355
3082052d 30820415 a0030201 0202044c 1c135530 0d06092a 864886f7 0d010105
05003081 b1310b30 09060355 04061302 55533116 30140603 55040a13 0d456e74
72757374 2c20496e 632e3139 30370603 55040b13 30777777 2e656e74 72757374
2e6e6574 2f727061 20697320 696e636f 72706f72 61746564 20627920 72656665
72656e63 65311f30 1d060355 040b1316 28632920 32303039 20456e74 72757374
2c20496e 632e312e 302c0603 55040313 25456e74 72757374 20436572 74696669
63617469 6f6e2041 7574686f 72697479 202d204c 3143301e 170d3132 30313237
32303237 31325a17 0d313331 32323331 34313235 345a3075 310b3009 06035504
06130255 53311630 14060355 0408130d 4d617373 61636875 73657474 73310f30
0d060355 04071306 44656468 616d3123 30210603 55040a13 1a4e6f62 6c652061
6e642047 7265656e 6f756768 20536368 6f6f6c31 18301606 03550403 130f5650
4e312e6e 6f626c65 732e6c61 6e308201 22300d06 092a8648 86f70d01 01010500
0382010f 00308201 0a028201 0100b391 aea68a26 f0a30827 69cc1410 296c8bdf
6ecaeac1 88725d0f 98889222 4f9055f8 22ca79a8 ecb53269 9e96575a 67ba4f8c
a234c107 dea84f8c fd81a034 0de1a40d 50c0074b a28ec228 9a0d056f d650b958
c6ef2ed0 91c2c8c2 ff06eaa3 58c622d1 19e757bb 37f30d60 ded0ea2a 5cbd85df
32883ef5 62ae8a10 756b9ed9 fd01780b 6dfa5922 92780660 4255c93f 4bbc6428
bcd488a7 282efaa9 6f5c8b55 1c567ac2 32565e82 d15e82fd fcc2c34e 012e3832
4e46707b 2a369a60 c778e052 60740f68 0581b630 6b5b5076 d17ee61b a7c85a3e
18bf032c 6c67ccac 9557c326 f1e13435 4ffb35bf 37ce314d 22dc2fac 0674bd9a
9af19508 c7a40d02 123cc5fd 504f0203 010001a3 82018630 82018230 0b060355
1d0f0404 030205a0 301d0603 551d2504 16301406 082b0601 05050703 0106082b
06010505 07030230 33060355 1d1f042c 302a3028 a026a024 86226874 74703a2f
2f63726c 2e656e74 72757374 2e6e6574 2f6c6576 656c3163 2e63726c 30650608
2b060105 05070101 04593057 30230608 2b060105 05073001 86176874 74703a2f
2f6f6373 702e656e 74727573 742e6e65 74303006 082b0601 05050730 02862468
7474703a 2f2f6169 612e656e 74727573 742e6e65 742f6c31 632d6368 61696e2e
63657230 40060355 1d200439 30373035 06092a86 4886f67d 074b0230 28302606
082b0601 05050702 01161a68 7474703a 2f2f7777 772e656e 74727573 742e6e65
742f7270 61302b06 03551d11 04243022 820f5650 4e312e6e 6f626c65 732e6c61
6e820f56 504e312e 6e6f626c 65732e65 6475301f 0603551d 23041830 1680141e
f1ab8906 f8490f01 3377ee14 7aee197c 93284d30 1d060355 1d0e0416 041472ce
0a882f70 614439da bd5d2a77 b6cb8177 15fe3009 0603551d 13040230 00300d06
092a8648 86f70d01 01050500 03820101 000259ec 4f7d1f1c 903d1e14 4b7007ec
b43f1f18 c7fc4a0c e8baeab7 9e9da6bb 7533f8f5 088a1af9 21c9d1d4 f396ded4
749b44c7 dea612ec d2f459da 5c48e1f7 e4acb000 b0641656 26aa3762 565b93d8
f00386e2 b0add856 1157e151 0977cbae 62a122fd e6cd7772 00ea9a6d aa0f728e
a100796a 09c64a11 22ab2735 4fa58cb4 b3535cbe 4e712cee 72c5aafb 53fe2611
1db6e598 0ea1a89e 5bb88ee6 3dfa1325 77b9f1e8 3d98fe21 a4cd1bfd a7f049c9
69d37776 8f72790d 4aa2b1db 8d440802 946fc4e0 a038e7c7 429b5f75 5c4351f2
e906a587 79946b83 061d1654 331ce3b7 eb607114 0923032b b4541c41 2a28fbf2
4f8a5408 0327f5ea f2613b35 f60e8cdc 58
quit
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 69.36.241.112 source outside
ssl trust-point ASDM_TrustPoint1
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
enable inside
default-idle-timeout 900
svc image disk0:/anyconnect-macosx-i386-2.4.0154-k9-BETA.pkg 1
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 4
svc enable
tunnel-group-list enable
group-policy noblesGP internal
group-policy noblesGP attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
address-pools value RemoteUsersDHCP
webvpn
url-list value testbm
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
dns-server value 10.11.1.8
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask enable default webvpn
username xxxxx password xxxxxxxxxxxxxxxx encrypted privilege 15
username administrator xxxxxxxxxxxxx/rm encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Campus
tunnel-group Nobles type remote-access
tunnel-group Nobles general-attributes
address-pool RemoteUsersDHCP
authentication-server-group Campus
default-group-policy noblesGP
tunnel-group Nobles webvpn-attributes
group-alias Noble.VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
imap4s
enable outside
enable inside
default-group-policy DfltGrpPolicy
pop3s
enable outside
enable inside
default-group-policy DfltGrpPolicy
smtps
enable outside
enable inside
default-group-policy DfltGrpPolicy
smtp-server 10.11.13.7
prompt hostname context
Cryptochecksum:70a463471a63f7f59a0b7af50aad0d5d
: end
no asdm history enable
ArneLovius
I would suggest using LDAP auth with 2008
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@PeteLong
Any advantages of using Kerberos over LDAP ?
Any advantages of using Kerberos over LDAP ?