Trying to set up RADIUS authentication on ASA5505 8.3

Answered Question
Aug 23rd, 2010
User Badges:

I set up my firewall with a local authentication for a regular dynamic VPN set up, but I need to change it to authenticate it with the server. The server is set up and ready to go but I want to be sure the firewall will be too.


Here is my config:


ASA# sh run
: Saved
:
ASA Version 8.3(1)


hostname ASA
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names


interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0


interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute


interface Ethernet0/0
switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa831-k8.bin
ftp mode passive


clock timezone CST -6
clock summer-time CDT recurring


dns server-group DefaultDNS
domain-name mydomain.local


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network obj_any
subnet 0.0.0.0 0.0.0.0


object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0


object network SERVER01
host 192.168.*.*


object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0


object network SERVER02
host 192.168.*.*


object network SERVER03
host 192.168.*.*


object network obj-OutsideIP
host 74.164.148.6


access-list splittunnel standard permit 192.168.1.0 255.255.255.0


access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0


access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp


pager lines 24
logging asdm informational


mtu inside 1500
mtu outside 1500


ip local pool vpnpool 192.168.101.50-192.168.101.100


icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400


nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool


object network obj_any
nat (inside,outside) dynamic interface


object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp


object network SERVER02
nat (inside,outside) static interface service tcp www www


object network SERVER03
nat (inside,outside) static interface service tcp https https


access-group outside_in in interface outside


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL


http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside


no snmp-server location
no snmp-server contact


snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000


telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60


ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60


console timeout 0


management-access inside


vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *****


dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside


dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside



priority-queue inside
priority-queue outside


threat-detection basic-threat
threat-detection statistics access-list


no threat-detection statistics tcp-intercept
webvpn


group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local


username vicky password 9fO.vlLc77pAFoHp encrypted privilege 15
username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted


username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn


tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn


tunnel-group examplevpn ipsec-attributes
pre-shared-key *****


class-map global-class
match default-inspection-traffic


class-map class_sip_tcp
match port tcp eq sip


class-map inspection_default
match default-inspection-traffic


policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512


policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip


service-policy global_policy global
prompt hostname context
Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad



Is what I have below all I have to add/ is it correct?


aaa-server RADIUSvpn protocol radius
max-failed-attempts 5
aaa-server vpn (DMZ) host 172.16.1.1
retry-interval 1
timeout 30
key cisco123



tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
address-pool vpnpool
authentication-server-group RADIUSvpn


I am still relatively new to firewalls and find some of the online help overwhelming at times. Please help,


Vicky

Correct Answer by Asim Malik about 6 years 8 months ago

Can you comapre the config with this doc and see if missing something maybe?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml


Use the troubleshoot area in the doc to find the correct DN, I think you are missing a part in the DN string. Sorry for the late response

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Asim Malik Mon, 08/23/2010 - 10:02
User Badges:
  • Cisco Employee,

It looks ok, Please check this

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml



Its much easier through ASDM. A good way to test if your autehntication is setup fine is to use the test option as mentioend in the document. If the test fails then run the following debugs on ASA and it will tell why it is faling


debug aaa authentication

debug radius all

vickyleach1 Mon, 08/23/2010 - 10:12
User Badges:

Most people tell me how much easier it is with the ASDM but I have always been more comfortable in the CLI as that is all I use. Also if I use ASDM at work I will kind of get frowned upon as they all use the CLI.


You have any ideas on the CLI version of the commands?

Asim Malik Mon, 08/23/2010 - 10:19
User Badges:
  • Cisco Employee,

Sure, ultimately it comes to you, whatever you feel comfortable with. The document I mentioned also has the relavent comamnd line.

vickyleach1 Mon, 08/23/2010 - 11:00
User Badges:

Ok last question on this (I hope) Using the link you gave me and based on the information (the sh run) is what I have below correct?


!--- Configure the AAA Server group.


ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP protocol RADIUS

ciscoasa(config-aaa-server-group)# exit



!--- Configure the AAA Server. (192.168.*.* being the server IP)


ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*

ciscoasa(config-aaa-server-host)# key secretkey

ciscoasa(config-aaa-server-host)# exit



!--- Configure the tunnel group to use the new AAA setup. (examplevpn being the group authentication name)


ciscoasa(config)# tunnel-group examplevpn general-attributes

ciscoasa(config-tunnel-general)# authentication-server-group RADIUS_SERVER_GROUP


And getting rid of the other commands that make it LOCAL authentication. Leaving me with the following config (please, please, please check the config thoroughly, I dont want to mess this up)



ASA# sh run


: Saved


:


ASA Version 8.3(1)


hostname ASA

domain-name mydomain.local

enable password GmSL9emLLUC2J7jz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0


interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoe_group

ip address pppoe setroute


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7


boot system disk0:/asa831-k8.bin

ftp mode passive


clock timezone CST -6

clock summer-time CDT recurring


dns server-group DefaultDNS

domain-name mydomain.local


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


object network obj_any

subnet 0.0.0.0 0.0.0.0


object network obj-vpnPool

subnet 192.168.101.0 255.255.255.0


object network SERVER01

host 192.168.*.*


object network obj-Internal-192.168.1.0

subnet 192.168.1.0 255.255.255.0


object network SERVER02

host 192.168.*.*


object network SERVER03

host 192.168.*.*


object network obj-OutsideIP

host 74.164.148.6


access-list splittunnel standard permit 192.168.1.0 255.255.255.0


access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0


access-list outside_in extended permit tcp any host 192.168.*.* eq www

access-list outside_in extended permit tcp any host 192.168.*.* eq https

access-list outside_in extended permit tcp any host 192.168.*.* eq smtp


pager lines 24

logging asdm informational


mtu inside 1500

mtu outside 1500


ip local pool vpnpool 192.168.101.50-192.168.101.100


icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400


nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool


object network obj_any

nat (inside,outside) dynamic interface


object network SERVER01

nat (inside,outside) static interface service tcp smtp smtp


object network SERVER02

nat (inside,outside) static interface service tcp www www


object network SERVER03

nat (inside,outside) static interface service tcp https https


access-group outside_in in interface outside


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa-server RADIUS_SERVER_GROUP protocol RADIUS

aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*

key secretkey


http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside


no snmp-server location

no snmp-server contact


snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5

crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800

crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN

crypto map RA-VPN interface outside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400


crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


crypto isakmp nat-traversal 10

crypto isakmp ipsec-over-tcp port 1000


telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 60


ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60


console timeout 0


management-access inside


vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname [email protected]

vpdn group pppoe_group ppp authentication pap

vpdn username [email protected] password *****


dhcpd dns 192.168.*.* 4.2.2.2

dhcpd lease 8400

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside


dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside


priority-queue inside

priority-queue outside


threat-detection basic-threat

threat-detection statistics access-list


no threat-detection statistics tcp-intercept

webvpn


group-policy examplevpn internal

group-policy examplevpn attributes

dns-server value 192.168.*.* 4.2.2.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value mydomain.local


username vicky password 9fO.vlLc77pAFoHp encrypted privilege 15

username otherusers password hhckff6QokyoRdar encrypted privilege 10

username examplevpn password IKg0RMHfprF6Ya3u encrypted


username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15

username admin attributes

vpn-group-policy examplevpn


tunnel-group RA-VPN type remote-access

tunnel-group examplevpn type remote-access

tunnel-group examplevpn general-attributes

address-pool vpnpool

authentication-server-group RADIUS_SERVER_GROUP

default-group-policy examplevpn


tunnel-group examplevpn ipsec-attributes

pre-shared-key *****


class-map global-class

match default-inspection-traffic


class-map class_sip_tcp

match port tcp eq sip


class-map inspection_default

match default-inspection-traffic


policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512


policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect tftp

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect icmp

  inspect ipsec-pass-thru

  inspect ip-options

class class_sip_tcp

  inspect sip


service-policy global_policy global

prompt hostname context

Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad



That right?


Thanks,


Vicky

Asim Malik Mon, 08/23/2010 - 20:35
User Badges:
  • Cisco Employee,

Yes it looks correct. Its easy as it sounds

vickyleach1 Tue, 08/24/2010 - 09:31
User Badges:

After speaking with the server guy at my work and also looking over another config, I saw that it included LDAP. The server guy told me that Active Directory automatically uses LDAP. So this being said, if the following changes to my configuration correct?


aaa-server TACACS+ Protocol tacacs+                                             <------- Do I even need this? Im not using Ciscos protocols here am I?
aaa-server RADIUS_SERVER_GROUP protocol RADIUS

aaa-server LDAP_SERVER_GROUP protocol ldap                   
aaa-server LDAP_SERVER_GROUP (inside) host 192.168.*.*

  ldap-base-dn dc=mydomain                                                            <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?

  ldap-scope subtree

  ldap-naming-attribute sAMAccountName

  ldap-login-password *

  ldap-login-dn cn=administrator, cn=users, dc=mydomain                  <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?

  server-type microsoft
key secretkey                                                                                 <---------- Do I even need this? Concidering I have the ldap-login-password I mean.



And obviously changing the following:


tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERVER_GROUP



By the way, thank you in all your help with this, it has been very helpful


Vicky

Asim Malik Wed, 08/25/2010 - 08:54
User Badges:
  • Cisco Employee,

Hi Vicky,


What exactly you want to use?  LDAP, RADIUS or TACACS? Your RADIUS server confing was correct if RADIUS server is setup fine, it should work.

vickyleach1 Wed, 08/25/2010 - 09:58
User Badges:

I have a Microsoft 2008 server running RADIUS. But Microsoft uses LDAP, which is why I asked

was wondering.

b.julin Thu, 08/26/2010 - 19:47
User Badges:
  • Bronze, 100 points or more

I don't know how it's done on an MS RADIUS server, but in our setup the VPN does

not talk LDAP, it talks RADIUS to the RADIUS server and the RADIUS server in turn

talks ldap/smbauth to the LDAP and Active Directory servers respectively.


You should get that process cleared up with your server guys.  On the VPN

side it looks like this:


vpdn group DefaultRAGroup localname foo
vpdn group DefaultRAGroup ppp authentication pap

dynamic-access-policy-record DfltAccessPolicy
aaa-server xxx protocol radius
aaa-server xxx (management) host XX.XX.XX.XX
key *****   
authentication-port 1812

no vpn-addr-assign aaa
no vpn-addr-assign local

group-policy DfltGrpPolicy attributes

  dhcp-network-scope YY.YY.YY.YY

split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-default-routes

intercept-dhcp 255.255.0.0 enable

user-authentication enable
address-pools value vpn-ras1-defaultpool
tunnel-group DefaultRAGroup general-attributes

  user-authentication enable
   address-pools value vpn-ras1-defaultpool

  authentication-server-group xxx
  authentication-server-group (outside) xxx
  dhcp-server ZZ.ZZ.ZZ.ZZ
  strip-realm 
  strip-group 
  username-from-certificate use-entire-name

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2


...once the RADIUS server is configured you should be able to see it up with:


#show aaa-server xxx

Server Group:     xxx
Server Protocol: radius
Server Address:     XX.XX.XX.XX
Server port:     1812(authentication), 1646(accounting)
Server status:     ACTIVE, Last transaction at 22:35:17 edt Thu Aug 26 2010
Number of pending requests        0
Average round trip time            33ms
Number of authentication requests    1970
Number of authorization requests    0
Number of accounting requests        0
Number of retransmissions        0
Number of accepts            1899
Number of rejects            54
Number of challenges            0
Number of malformed responses        0
Number of bad authenticators        0
Number of timeouts            17
Number of unrecognized responses    0


...often you cannot test real authentication but you can at least ensure the

"Number of authentication requests" and "Number of rejects" increments

usingt the command:


# test aaa-server authentication xxx host XX.XX.XX.XX username foo password foo
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure


...if you've got communication problems between the VPN and RADIUS server, you'll

get a timeout instead of a Rejected.


Once you have that working you are pretty much done on the VPN side and it's

all down to taming the RADIUS server configs.

vickyleach1 Wed, 08/25/2010 - 11:21
User Badges:

Ok so I got the config in there (Keeping the LOCAL commands so I dont interupt the current VPNs too much) and I am running the "test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*" command to test the usernames and password authentication (had to change the AAA group name to LDAP_SERV_GROUP instead of the other as the other was too long) . However it is coming up as failing. This is my output:


Username: administrator

Password: ********

INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)


[3420] Session Start

[3420] New request Session, context 0xc9de1448, reqType = Authentication

[3420] Fiber started

[3420] Creating LDAP context with uri=ldap://192.168.*.*:389

[3420] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful

[3420] supportedLDAPVersion: value = 3

[3420] supportedLDAPVersion: value = 2

[3420] Binding as Administrator

[3420] Performing Simple authentication for Administrator to 192.168.*.*

[3420] LDAP Search:

        Base DN = [dc=mydomain ]

        Filter  = [sAMAccountName=administrator]

        Scope   = [SUBTREE]

[3420] Request for administrator returned code (10) Referral

[3420] Fiber exit Tx=286 bytes Rx=608 bytes, status=-1

[3420] Session End

ERROR: Authentication Rejected: Unspecified



Its not due to bad authentication as it is coming up with the code (10) Referral (or so I assume)


I did change my AAA to "ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local"

instead of "ldap-login-dn cn=administrator, cn=users, dc=mydomain"


Because the following output was the result of not having the "dc=local" at the end


But the output was:


ASA# test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*

Username: administrator

Password: ********

INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)


[3419] Session Start

[3419] New request Session, context 0xc9de1448, reqType = Authentication

[3419] Fiber started

[3419] Creating LDAP context with uri=ldap://192.168.*.*:389

[3419] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful

[3419] supportedLDAPVersion: value = 3

[3419] supportedLDAPVersion: value = 2

[3419] Binding as administrator

[3419] Performing Simple authentication for administrator to 192.168.*.*

[3419] Simple authentication for administrator returned code (49) Invalid credentials

[3419] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[3419] Fiber exit Tx=204 bytes Rx=567 bytes, status=-2

[3419] Session End

ERROR: Authentication Server not responding: AAA Server has been removed



I am still looking stuff up and troubleshooting, mainly using "debug ldap 255" and obviously I double checked my credientials were correct by using the command line command "dsquery user -samid administrator" on the server


Any ideas though?

vickyleach1 Tue, 08/31/2010 - 07:49
User Badges:

Yes you were right. Here is the complete working config in case someone needs help like I did. Thanks for the help guys



ASA# sh run
: Saved
:
ASA Version 8.3(1)


hostname
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names


interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0


interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute


interface Ethernet0/0
switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network obj_any
subnet 0.0.0.0 0.0.0.0


object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0


-----------Same server, 1 per protocol-------------


object network SERVER01
host 192.168.*.*


object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0


object network SERVER02
host 192.168.*.*


object network SERVER03
host 192.168.*.*


object network obj-OutsideIP
host 73.*.*.*


access-list splittunnel standard permit 192.168.1.0 255.255.255.0


access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp


pager lines 24
logging asdm informational


mtu inside 1500
mtu outside 1500


ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400


nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool


object network obj_any
nat (inside,outside) dynamic interface


object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp


object network SERVER02
nat (inside,outside) static interface service tcp www www


object network SERVER03
nat (inside,outside) static interface service tcp https https


access-group outside_in in interface outside


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host 192.168.*.*


ldap-base-dn dc=mydomain, dc=local           
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****                   <----Password of the server
ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local 
server-type microsoft


aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL


http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside


no snmp-server location
no snmp-server contact


snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000


telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60


ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60


console timeout 0


management-access inside


vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *****


dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside


dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside



priority-queue inside
priority-queue outside


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept


webvpn


group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local


username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted


username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn


username Vicky password kVVIdKLCZanWt.w6 encrypted privilege 15
username Vicky attributes
vpn-group-policy examplevpn


tunnel-group RA-VPN type remote-access


-----------TUNNEL GROUP FOR THE LOCAL TUNNEL-------------


tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn


tunnel-group examplevpn ipsec-attributes
pre-shared-key *****


-----------TUNNEL GROUP FOR THE RADIUS/LDAP TUNNEL-------------


tunnel-group Radiusvpn type remote-access
tunnel-group Radiusvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
tunnel-group Radiusvpn ipsec-attributes
pre-shared-key *****


class-map global-class
match default-inspection-traffic


class-map class_sip_tcp
match port tcp eq sip


class-map inspection_default
match default-inspection-traffic



policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be674163196f614ba3efb4d766a27603
: end

Actions

This Discussion