Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AD 2008 and VPN

Unanswered Question
Mar 20th, 2012
User Badges:

I am rather new to administrating the ASA. I am currently on 8.2.5 but I will be moving to 8.4.3 within the next week or so. In the meantime I would like to get my vpn system up and going. Currently I am able to vpn in to my system using a local server group, but I would like to simplify things by getting my ASA to accept AD credentials. I found a bunch of articles referencing how to do this. I first attempted to use this article but the test option yeilds a failure stating "The authentication Server not responding: AAA Server has been removed." I then began to do more research finding things like having to add the Network Policy and Access Services to my domain controllers which I vaguely remember using at my last job prior to getting our Tacacs+ server.

Here are my questions:

  1. Is LDAP able to be used for this process with AD 2008 Domain Controllers? I have a feeling the linked article I referenced used old AD 2003 servers because I am fairly sure I followed it to a T.
  2. Is LDAP the preferred method to connect the ASA to the directory server? Is NPAS a better option? I would like to use a Tacacs+ server but I don't have that option right now and probably won't for another year.
  3. Does anyone have a good link to some documentation that shows this method (preferred/best practice method)?

Thanks in advance. I did some searching on the forums and there were some mildly related items to what I am asking but I couldn't find anything very recent. If someone's search-fu is better then mine, linking me to a relevant already asked question would be helpful as well.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
DemPackets Tue, 03/20/2012 - 07:35
User Badges:

Update 1: The login dn notation in the linked article is wrong. Format should be domain\username or [email protected]. Once I corrected this issue, the test began working.

I have now created the IPSec Connecktion Profile, Group Policy, and Dynamic Access Policy. I have setup my PCF file on my client to connect to the new group I created, however I seem to be getting the following errors:

Cisco Systems VPN Client Version

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory:

1      11:06:52.855  03/20/12  Sev=Warning/3          IKE/0xE3000057

The received HASH payload cannot be verified

2      11:06:52.856  03/20/12  Sev=Warning/2          IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

3      11:06:52.856  03/20/12  Sev=Warning/2          IKE/0xE300009B

Failed to authenticate peer (Navigator:915)

4      11:06:52.856  03/20/12  Sev=Warning/2          IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

DemPackets Tue, 03/20/2012 - 11:45
User Badges:

Fixed this issue. My Group Profile was spelled incorrectly. I renamed it in the ASA with the correct spelling and everything is now fine.


This Discussion

Related Content