Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect LDAP Authentication to multiple domains

Hello,

I currently have a working config for VPN users to use my LDAP server for a single group of users.  The LDAP server is directly connected to my inside interface. 

I recently added another node to my branch offices.  The new addition is another company and has its own domain and LDAP server.  I have a working VPN connection between the 2 offices and can ping from my headquarters to the new office's LDAP server - no problem.  I'd like users to be able to establish connectivity to our headquarters ip address but authenticate to the LDAP server at the remote location. 

I have created a 2nd tunnel group and a 2nd LDAP server.  When I activate Anyconnect and select the headquarters the new group is an option in the drop down box.  I select it and enter username/password.  I get "Login Error".  On the headquarters box I have debug aaa enabled and all I see is:

ciscoasa# Marking server 192.168.1.140 down in servertag <2nd_LDAP_SERVER>
Marking server 192.168.16.140 in server tag <2nd_LDAP_SERVER> Up
AAA_BindServer: No server found

 

I'm using ASA software 9.1.  Any thoughts?

 

Config below has been scrubbed.  If i took out too much let me  know.  

The VPN tunnel for between HQ and PEER4-REMOTE_LAN_WAN is working fine.  traffic passes, tunnel is up.  i can ping between HQ subnet and REMOTE_LANS subnets.  

The aaa server we're trying to authenticate to is AAA_SERVER2.  it resides in a subnet in REMOTE_LANS.  domain2 is the one i am having difficulty authenticating to.  

 

*************************************************

RUNNING CONFIG BELOW - SCRUBBED

*************************************************

show run

: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
domain-name sub1.domain.com
 
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
 
no names
 
dns-guard
ip local pool Group1_Pool 172.16.1.10-172.16.1.80 mask 255.255.255.0
!
interface Ethernet0/0
 description Internet Connection 
 nameif outside
 security-level 0
 ip address <OUTSIDE_WAN> 255.255.255.248
!
interface Ethernet0/1
 description <INSIDE HEADQUARTERS>
 nameif inside
 security-level 100
 ip address <HQ_LAN>.1 255.255.255.0
!
 
 
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup MPLS_DMZ
dns domain-lookup management
dns server-group DefaultDNS
 name-server <HQ_LAN>.52
 domain-name sub1.domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network HQ
 subnet <HQ_LAN>.0 255.255.255.0
 description **HQ LAN**
object network HQ-VPN
 subnet 172.16.1.0 255.255.255.0
 description **HQ VPN CLIENTS**
 
 
object network obj_any-MPLS_DMZ
 subnet 0.0.0.0 0.0.0.0
object network obj_any-MPLS_DMZ_TWTelcom
 subnet 0.0.0.0 0.0.0.0
object network obj_any-HQ
 subnet 0.0.0.0 0.0.0.0
object network obj_any-HQ_TWTelcom
 subnet 0.0.0.0 0.0.0.0
 
object network HQ-VOICE
 subnet 10.81.106.0 255.255.255.0
 description **HQ VOICE**
 
 
 
object network remote_lan_1
 subnet 192.168.16.0 255.255.255.0
 description **REMOTE LAN 1**
object network remote_lan_2
 subnet 192.168.17.0 255.255.255.0
 description **REMOTE LAN 2**
object network remote_lan_3
 subnet 192.168.32.0 255.255.255.0
 description **REMOTE LAN 3**
 
object-group network HQ_LAN
 network-object <HQ_LAN>.0 255.255.255.0
 
object-group network MPLS_SITES
 group-object SITE1_LAN
 group-object SITE2_LAN
 group-object SITE3_LAN
 
object-group network REMOTE_LAN1n2
 network-object 192.168.16.0 255.255.255.0
 network-object 192.168.17.0 255.255.255.0
object-group network REMOTE_LAN3
 network-object 192.168.32.0 255.255.255.0
object-group network REMOTE_LANS
 group-object REMOTE_LAN1n2
 group-object REMOTE_LAN3
 
 
 
access-list acl_outside remark **DENY BOGON**
access-list acl_outside extended deny ip host 255.255.255.255 any4
access-list acl_outside extended deny ip 0.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 10.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 127.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 169.254.0.0 255.255.0.0 any4
access-list acl_outside extended deny ip 172.16.0.0 255.240.0.0 any4
access-list acl_outside extended deny ip 192.0.2.0 255.255.255.0 any4
access-list acl_outside extended deny ip 192.168.0.0 255.255.0.0 any4 inactive
access-list acl_outside extended deny ip 198.18.0.0 255.255.255.0 any4
access-list acl_outside extended deny ip 223.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 224.0.0.0 224.0.0.0 any4
 
access-list LDAP_SplitTunnel_1_Working extended permit ip object-group MPLS_SITES object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object HQ object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object HQ-VOICE object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object-group REMOTE_LANS object HQ-VPN
 
access-list MPLS_ACL extended permit ip any4 any4
access-list MPLS_ACL extended permit icmp any4 any4
 
 
access-list REMOTE_LANS_VPN extended permit ip object HQ-VPN object-group REMOTE_LANS 
access-list REMOTE_LANS_VPN extended permit ip object HQ object-group REMOTE_LANS 
 
 
access-list LDAP_SplitTunnel_2 extended permit ip object HQ object HQ-VPN
access-list LDAP_SplitTunnel_2 extended permit ip object-group REMOTE_LANS object HQ-VPN
 
pager lines 24
logging enable
logging timestamp
logging list VPN level debugging class vpn
logging buffer-size 100000
logging buffered critical
logging asdm emergencies
 
logging facility 16
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu MPLS_DMZ 1500
mtu Ethernet0/3 1500
mtu management 1500
mtu vv_voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MPLS_DMZ
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
 
 
 
nat (inside,outside) source static HQ HQ destination static HQ-VPN HQ-VPN
 
nat (outside,inside) source static HQ-VPN HQ-VPN destination static HQ HQ
nat (outside,MPLS_DMZ) source static HQ-VPN HQ-VPN destination static MPLS_SITES MPLS_SITES
 
nat (outside,inside) source static REMOTE_LANS REMOTE_LANS destination static HQ HQ 
nat (inside,outside) source static HQ HQ destination static REMOTE_LANS REMOTE_LANS 
 
 
nat (outside,outside) source static HQ-VPN HQ-VPN destination static REMOTE_LANS REMOTE_LANS 
nat (outside,outside) source static REMOTE_LANS REMOTE_LANS destination static HQ-VPN HQ-VPN
 
 
 
!
 
object network obj_any-HQ
 nat (inside,outside) dynamic interface
object network obj_any-HQ_TWTelcom
 nat (inside,Ethernet0/3) dynamic interface
 
access-group acl_outside in interface outside
access-group MPLS_ACL in interface MPLS_DMZ
access-group acl_outside in interface Ethernet0/3
 
route outside 0.0.0.0 0.0.0.0 GATEWAY 1
route MPLS_DMZ 10.30.99.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.44.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.47.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.48.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.51.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.85.163.0 255.255.255.0 192.168.2.2 1
 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
 
 
ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
ldap attribute-map CISCOMAP_REMOTE_LANS
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS_REMOTE_LANS
dynamic-access-policy-record DfltAccessPolicy
 
sub1.domain.com
 
aaa-server AAA_SERVER1 protocol ldap
aaa-server AAA_SERVER1 (inside) host <HQ_LAN>.52
 ldap-base-dn DC=sub1,DC=domain,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa,CN=Users,DC=sub1,DC=domain,DC=com
 server-type auto-detect
 ldap-attribute-map CISCOMAP
 
aaa-server AAA_SERVER2 protocol ldap
aaa-server AAA_SERVER2  (inside) host 192.168.16.140
 ldap-base-dn DC=domain2,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa,CN=users,DC=domain2,DC=com
 server-type auto-detect
 ldap-attribute-map CISCOMAP_REMOTE_LANS
 
 
 
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
 
 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address VPN1
crypto map outside_map 1 set peer PEER1-WAN
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address VPN2
crypto map outside_map 2 set peer PEER2-WAN
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address VPN3
crypto map outside_map 3 set peer PEER3-WAN
crypto map outside_map 3 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address REMOTE_LAN_VPN
crypto map outside_map 4 set peer PEER4-REMOTE_LAN_WAN
crypto map outside_map 4 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint
 enrollment terminal
 fqdn VPN.FQDN.HERE
 subject-name MORE.INFO.HERE
 keypair PAIR.GOES.HERE
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint
 certificate 
<CERTIFICATE INFO HERE>
  quit
crypto isakmp identity hostname
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet <HQ_LAN>.0 255.255.255.0 inside
 
telnet timeout 10
 
ssh timeout 60
console timeout 0
management-access inside
l2tp tunnel hello 300
dhcpd address ADDRESS POOL management
dhcpd enable management
!
priority-queue outside
priority-queue MPLS_DMZ
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server NTP_ADDRESS source inside prefer
ssl trust-point ASDM_TrustPoint outside
 
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4 regex "Linux"
 anyconnect profiles default disk0:/default.xml
 anyconnect enable
 tunnel-group-list enable
 
group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
 default-domain value sub1.domain.com
 webvpn
  anyconnect profiles value default type user
 
 
group-policy ALLOWACCESS_REMOTE_LANS internal
group-policy ALLOWACCESS_REMOTE_LANS attributes
 dns-server value 192.168.16.140
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 ssl-client
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LDAP_SplitTunnel_2
 default-domain value domain2.com
 
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
 dns-server value <HQ_LAN>.52
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 ssl-client
 password-storage disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LDAP_SplitTunnel_1_Working
 default-domain value sub1.domain.com
 
 
tunnel-group Group1 type remote-access
tunnel-group Group1 general-attributes
 address-pool Group1_Pool 
 authentication-server-group AAA_SERVER1 
tunnel-group Group1 ipsec-attributes
 ikev1 pre-shared-key *****
 
tunnel-group VPN1 type ipsec-l2l
tunnel-group VPN1 ipsec-attributes
 ikev1 pre-shared-key *****
 
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool Group1_Pool 
 authentication-server-group AAA_SERVER1 
 
tunnel-group SSLVPN webvpn-attributes
 group-alias GROUP_THAT_WORKS enable
tunnel-group VPN2 type ipsec-l2l
tunnel-group VPN2 ipsec-attributes
 ikev1 pre-shared-key *****
 
tunnel-group VPN3 type ipsec-l2l
tunnel-group VPN3 ipsec-attributes
 ikev1 pre-shared-key *****
 
tunnel-group PEER4-REMOTE_LAN_WAN type ipsec-l2l
tunnel-group PEER4-REMOTE_LAN_WAN ipsec-attributes
 ikev1 pre-shared-key *****
 
tunnel-group SSLVPN_Domain2_notworking type remote-access
tunnel-group SSLVPN_Domain2_notworking general-attributes
 address-pool Group1_Pool 
 authentication-server-group AAA_SERVER2
tunnel-group SSLVPN_Domain2_notworking webvpn-attributes
 group-alias GROUP_THAT_DOESNT_WORK enable
!
class-map VOICE
 match dscp ef
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map MPLS
 class VOICE
  priority
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ip-options
policy-map OUTSIDE
 class VOICE
  priority
!
service-policy global_policy global
service-policy OUTSIDE interface outside
service-policy MPLS interface MPLS_DMZ
smtp-server <HQ_LAN>.56
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ece33f3215344dfccfae4501e4e483c5
: end
ciscoasa#
Everyone's tags (1)
5 REPLIES
New Member

mnewbrough, I do not know if

mnewbrough,

 

I do not know if this applies to you but I have several domains I have to authenticate users with and I had to create unique AAA Server groups and LDAP Attribute maps for each different group.

Brent

New Member

Thanks for your quick reply

Thanks for your quick reply Brent.  Yes, i agree.  My current config is set up with 2 different LDAP servers and 2 different groups with seperate group policies and seperate aaa servers.  I will get the config up shortly so you can have a look. 

Cisco Employee

Have you tried defining the

Have you tried defining the global catalog port with in the same server group?

aaa-server AAA_SERVER1 protocol ldap
aaa-server AAA_SERVER1 (inside) host <HQ_LAN>.52
server-port 3268
 
Regards,
Jatin Katyal
** Do rate helpful posts **
~BR Jatin Katyal **Do rate helpful posts**
New Member

i'll do that now.  But keep

i'll do that now.  But keep in mind AAA_SERVER1 works great!  Its directly connected to the asa inside interface.  it's AAA_SERVER2 which located at the far end of REMOTE_LAN_VPN (crypto map 4) that i'm having issues with.

New Member

Got it figured out!  The far

Got it figured out!  The far end (AAAServer2) was not managed by me.  So i was working with the tech at the far end who gave me incorrect DN information.  The fix was to change:

ldap-login-dn CN=asa,CN=users,DC=domain2,DC=com

to:

ldap-login-dn CN=ASA Cisco,CN=Users,DC=domain2,DC=com

to match exactly what was listed in LDAP.  

 

Thanks for your guys' input.

1405
Views
0
Helpful
5
Replies