cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
79892
Views
15
Helpful
0
Comments
Julie Burruss
Level 4
Level 4

 

Introduction

How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM

Tip

This month’s reader tip from Syed Khushnud Amer Ali Shah Gilani demonstrates how to test an AAA-server authentication.

test aaa-server [authentication|authorization] <aaa_server_group> [host <name>|<host_ip>] username <user> password <pass>

For example:

ASA# test aaa-server authentication TACGroup username johndoe password cisco123
if authentication is successful (output mentioned below)
INFO: Authentication Successful

if authentication fails (output mentioned below)
ERROR: Authentication Rejected: Unspecified

Authentication Example for LDAP configuration

username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)

username: jennifer = in active directory OU carolco-Users

Michael could NOT login :)

aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
 ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
 server-type auto-detect

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful

Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified

just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)

Another Scenario

[-2147483610] LDAP Search:
        Base DN = [DC=city,DC=charlottesville,DC=org]
        Filter  = [sAMAccount=sargentm]
        Scope   = [SUBTREE]
[-2147483610] Search result parsing returned failure status
[-2147483610] Fiber exit Tx=308 bytes Rx=677 bytes, status=-1
[-2147483610] Session End

ERROR: Authentication Rejected: Unspecified

Solution
Replace the below listed command inside the server parameters:

ldap-naming-attribute sAMAccount

With

ldap-naming-attribute sAMAccountName

Note: the sAMAccountName is incorrectly configured.

Reference

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: