How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM

Document

May 20, 2015 4:15 AM
Feb 5th, 2010

Introduction

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM

Tip

This month’s reader tip from Syed Khushnud Amer Ali Shah Gilani demonstrates how to test an AAA-server authentication.

test aaa-server [authentication|authorization] <aaa_server_group> [host <name>|<host_ip>] username <user> password <pass>

For example:

ASA# test aaa-server authentication TACGroup username johndoe password cisco123
if authentication is successful (output mentioned below)
INFO: Authentication Successful

if authentication fails (output mentioned below)
ERROR: Authentication Rejected: Unspecified

Authentication Example for LDAP configuration

username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)

username: jennifer = in active directory OU carolco-Users

Michael could NOT login :)


aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
 ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
 server-type auto-detect

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)

Another Scenario

[-2147483610] LDAP Search:
        Base DN = [DC=city,DC=charlottesville,DC=org]
        Filter  = [sAMAccount=sargentm]
        Scope   = [SUBTREE]
[-2147483610] Search result parsing returned failure status
[-2147483610] Fiber exit Tx=308 bytes Rx=677 bytes, status=-1
[-2147483610] Session End

ERROR: Authentication Rejected: Unspecified

Solution
Replace the below listed command inside the server parameters:

ldap-naming-attribute sAMAccount

With

ldap-naming-attribute sAMAccountName

Note: the sAMAccountName is incorrectly configured.

Reference

Overall Rating: 5 (3 ratings)

Actions

Login or Register to take actions

This Document

Posted February 5, 2010 at 7:55 AM
Updated May 20, 2015 at 4:15 AM
Stats:
Comments:0 Overall Rating:5
Views:23038 Contributors:0
Shares:1
Tags: No tags.