Introduction
How to Check an AAA-Server Authentication on Cisco ASA/PIX/FWSM
Tip
This month’s reader tip from Syed Khushnud Amer Ali Shah Gilani demonstrates how to test an AAA-server authentication.
test aaa-server [authentication|authorization] <aaa_server_group> [host <name>|<host_ip>] username <user> password <pass>
For example:
ASA# test aaa-server authentication TACGroup username johndoe password cisco123
if authentication is successful (output mentioned below)
INFO: Authentication Successful
if authentication fails (output mentioned below)
ERROR: Authentication Rejected: Unspecified
Authentication Example for LDAP configuration
username: michael = in active directory base group (CN=Users,DC=carolco,DC=int)
username: jennifer = in active directory OU carolco-Users
Michael could NOT login :)
aaa-server LAB_LDAP_GRP protocol ldap
aaa-server LAB_LDAP_GRP (inside) host 10.30.10.50
ldap-base-dn OU=carolco-Users,DC=carolco,DC=int
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ciscoasa,CN=Users,DC=carolco,DC=int
server-type auto-detect
Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username jennifer password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
INFO: Authentication Successful
Coresite-nj-fw-01# test aaa-server authentication LAB_LDAP_GRP host 10.30.10.50 username michael password g00dlogin
INFO: Attempting Authentication test to IP address <10.30.10.50> (timeout: 12 seconds)
ERROR: Authentication Rejected: Unspecified
just make 2 aaa-server groups; one for each ssl vpn group to use set to the BASE DN that should contain ONLY the allowed users ;)
Another Scenario
[-2147483610] LDAP Search:
Base DN = [DC=city,DC=charlottesville,DC=org]
Filter = [sAMAccount=sargentm]
Scope = [SUBTREE]
[-2147483610] Search result parsing returned failure status
[-2147483610] Fiber exit Tx=308 bytes Rx=677 bytes, status=-1
[-2147483610] Session End
ERROR: Authentication Rejected: Unspecified
Solution
Replace the below listed command inside the server parameters:
ldap-naming-attribute sAMAccount
With
ldap-naming-attribute sAMAccountName
Note: the sAMAccountName is incorrectly configured.
Reference