Re: AAA - LDAP test "rejected: memory error"

isnsysadmin · ‎08-11-2009

Trying to configure VPN on a Cisco 5510 to use LDAP for authorization (used a Cisco document for implementing Kerberos/LDAP AAA with Windows AD).

Kerberos authentication works just fine, but when I test the LDAP AAA group I get -

"Authorization Rejected: memory error"

I haven't been able to find ANY info regarding that error message on the interwebz. I know it's reaching the domain controller just fine, but something isn't quite right. Any ideas?

smalkeric · ‎08-17-2009

The security appliance supports user authorization on an external LDAP or RADIUS server. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.

There are some known issues with LDAP and 7.1(1)(If you are using). You may try upgrading to the latest 7.1.2 interim release.

isnsysadmin · ‎08-28-2009

We're actually on release 8.03

I haven't had time to look at this issue again yet (ahh family vacations =)) but hopefully in the next week I will.

Meanwhile, here's a bit of the config if that helps anyone

---

aaa-server Authent_grp protocol kerberos

aaa-server Authent_grp host X.X.X.152

kerberos-realm DOMAIN.COM

aaa-server Authent_grp host X.X.X.151

kerberos-realm DOMAIN.COM

aaa-server Author_grp protocol ldap

aaa-server Author_grp host X.X.X.152

ldap-base-dn ou=Users

ldap-scope onelevel

ldap-naming-attribute uid

ldap-login-password *

ldap-login-dn cn=admin,cn=Users,dc=domain,dc=com

server-type microsoft

---