Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

"Broken" AAA between ASA 5505 and MS-AD

I have setup an AAA connection from my ASA5505 to my MS-AD domain controller for VPNs (SSL and client). It was working, however, last week the connection between the two failed and I cannot get it back up again.

I've checked password, usernames, object locations etc. but to no avail. When I do an auth test, this is the debug ldap 225 output:

[722] Session Start

[722] New request Session, context 0xd4e225c8, reqType = 1

[722] Fiber started

[722] Creating LDAP context with uri=ldap://w.x.y.z:389

[722] Connect to LDAP server: ldap://w.x.y.z:389, status = Successful

[722] supportedLDAPVersion: value = 3

[722] supportedLDAPVersion: value = 2

[722] Binding as administrator

[722] Performing Simple authentication for FirewallTest to w.x.y.z

[722] Simple authentication for FirewallTest returned code (49) Invalid credentials

[722] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[722] Fiber exit Tx=253 bytes Rx=583 bytes, status=-2

[722] Session End

I have tried the age-old "remove and re-add" fix, but this has not worked.

Any thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: "Broken" AAA between ASA 5505 and MS-AD

Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.

Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name " and compare it to your ASA.

4 REPLIES

Re: "Broken" AAA between ASA 5505 and MS-AD

Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.

Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name " and compare it to your ASA.

Community Member

Re: "Broken" AAA between ASA 5505 and MS-AD

I will check. However, the account was never a domain admin in the first place...

Re: "Broken" AAA between ASA 5505 and MS-AD

regardless of make sure that the privilege to read the domain is enabled, if not then enable it.

Community Member

Re: "Broken" AAA between ASA 5505 and MS-AD

It's working after the password reset: I suspect it had expired...

Thanks for the help.

2825
Views
0
Helpful
4
Replies
CreatePlease to create content