We have an issue at the moment with ACS and RSA for authenticating VPN. Quite often we require 2 authentications before connection can be established. In the ACS logs it shows the first authentication as failed (although RSA passes both) with an error "External DB reports about an error condition"
You are hitting bug CSCsq93877. LDAP bind fails first time with clients using RSA token. VPN client with RSA tokens. vpn client logs in on ASA. ASA is with Radius connected to ACS. ACS ends Authentication request to RSA authentication Manager, If authentication is OK ACS looks up the user name with LDAP in AD 2003. All works fine except for one thing: the first time the user has to authenticate 2 times. authentication against RSA is OK. LDAP mapping doesn't work. ACS server gives error: External DB reports about an error condition.
Thanks drolemc, that seems to match our problem exactly (although we're using VPN concentrator appliances rather than ASA). Do you know if there's a fix for this bug? I can't seem to find anything googling for "CSCsq93877". Cheers
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...