Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA 520 and Active Directory

We have a SA 520 appliance and it has worked perfectly until recently.  We can no longer log in using the accounts from the Active Directory.  I can log in using the local admin account but not the AD accounts.   Any thoughts?   Or more details needed?    Thanks

  • Small Business Security
Everyone's tags (2)

SA 520 and Active Directory

Check your RADIUS server. Did something about it change recently?

New Member

SA 520 and Active Directory

First Option:

1. Make a Backup of your current configuration

2. Do a reset on it to factory default

3. IMPORTANT: REFLASH THE BOX with the latest Image, even if it has the latest Image

4. Restore the settings

5. Test, check & it should work

2nd Option:

1. Make a factory reset & start from scratch.

I have had the same problems on some boxes. Don't know why - but sometimes this happens.

New Member

SA 520 and Active Directory

Thanks for the info.   Is there a nice tidy way to back up the current configuration?

New Member

SA 520 and Active Directory

Damn easy!

Use an empty USB stick and store the config on it. Or store it on your PC or on the network.

Check this: 

New Member

SA 520 and Active Directory

No dice.  We backed up the config, updated the firmware, and then restored the config and still have the same issue.

New Member

Re: SA 520 and Active Directory


I don't know your current config so let me explain how to setup the ADS connection from scratch.

Please double check and let me know if something is wrong or missing within your config.

1. Create a SSL-VPN Portal

VPN – SSL VPN Server – Portal Layouts ---> ADD

(Type someting within and make sure you select the SSLVPN* as default site)

2. Assign the portal to the ADS

Administration - Users - Domains ---> ADD

Now it is important that you know what kind of roles your domain contollers will have. If you have only one than everything is find. If you have more than one you need to find which one provides the RID MASTER ROLE.

If you know this server DON'T USE THE NAME - use the IP ADDRESS of this server.

Now assign the portal to the domain, fill in the IP address of your responsible DC and in the last line type your FQDN for the active directory domain. As authentication you have to choose Active Directory.

3. Authorization

Administratoion - Users - Users

Not everybody within the ADS is automatically allowed to use VPN. You need to create the user which is allowed to use SSL-VPN. I don't know why CISCO will not provide an option to solve this via an ADS group but it seems the SMB market will be ignored.

Now choose an user form the ADS. Important is the login name, first name and last name.

When you create an user within the SA5xx and you will choose ADS authentication this will be a path-through authentication. You can create an user but you are not able to assign an password.

The next problem is the option "AUTHENTICATION SERVER". I don't know who is responsible for the manual of the SA5xx but from my point of view this are essential information to use the IP instead the FQDN of the Server. And if you choose an domain controller make sure that this domain controller will have the role which is responsible for authentication. 

If you have done all this stepps it must work! BUT - you need to choose the right portal to login! ;-)


your-domain is the Portal name which you have defined within the portal. See the first screen shot and the greyed first line.