Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
matthew.rand
matthew.rand
Community Member
‎09-11-2010 11:05 AM
‎09-11-2010 11:05 AM

VPN LDAP Authorization Failure

I have set up VPN certificate authentication/authorization on an ASA5520.  I am not having any problems with the authentication part, but, I am having an issue with authorization.  Users get authorization through LDAP to our AD network, however, we have some users which get “%ASA-6-113005: AAA user authorization Rejected : reason = User was not found : server =”.  This is just happening to some and not all users.

I have captured the log files and compared the username being sent via ldap is the same as what is listed for their username on the DC.  The users are able to log onto the domain with no problem they are just unable to get authorization through VPN, they have dial-in permissions and what I have been able to tell the basic groups are the same.  They have attempted to log on through different computer systems, it makes no difference.

What could be the problem where some are able to get authorization and others are not? 

Labels:
0 Helpful
Reply
2 REPLIES
matthew.rand
matthew.rand
Community Member
‎09-11-2010 12:47 PM
‎09-11-2010 12:47 PM

Re: VPN LDAP Authorization Failure

Solved the problem.

The configuration of the ldap-base-dn statement under the aaa-server policy was not pointing at a high enough OU level.  Once I changed it users were able to connect.

0 Helpful
Reply
brettmoore99
brettmoore99
Community Member
‎01-16-2011 11:20 AM
‎01-16-2011 11:20 AM

Re: VPN LDAP Authorization Failure

I found this discussion when I was having the exact same problem, it turned out that in the ldap server configuration page is was looking for SAMAccountName and the certificate was passing userPrincipalName, I changed the relevant field to now look for the UPN and all is working perfectly now...

Just in case anyone else should have the same problem! The logs where showing that the asa was trying to authenticate testuser@domain.com and the LDAP server was returning user does not exist, this makes sense as SAMAccountName only has the testuser attribute, not the full testuser@domain.com...

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
1272
Views
0
Helpful
2
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs