Cisco Support Community

How to configure ASA 5510 to check Microsoft Windows Active Directory attributes


The Adaptive Security Appliance (ASA) cannot be configured to check the Active Directory for dial-in permissions or group membership.

The ASA cannot directly query any Microsoft Windows Active Directory attributes. Tthis query, however, can be performed indirectly with a RADIUS server, such as a Microsoft Internet Authentication Service (IAS) or a Cisco Secure ACS that can map user attributes.

Refer to these documents for more information:

You can also run different debug commands in order to troubleshoot the VPN configuration:

  • debug crypto isakmp—This command displays errors during Phase 1.
  • debug crypto ipsec—This command displays errors during Phase 2.

  • debug crypto engine—This command displays information from the crypto engine.

  • clear crypto ipsec sa—This command clears the Phase 2 security associations.
  • debug radius [session | all | user username]—Available in PIX 6.2, this command logs RADIUS session information and the attributes of sent and received RADIUS packets.

  • debug tacacs [session|user ]—Available in PIX 6.3, this command logs TACACS information.

  • debug aaa [authentication|authorization|accounting|internal]—Available in PIX 6.3, this command shows Authentication, Authorization, Accounting (AAA) subsystem information.

Community Member

This is incorrect.  You can, in fact check AD attributes (e.g. group membership) directly from you ASA using LDAP. There is a very good explanation on how to do this here: