06-09-2013 01:06 PM - edited 03-10-2019 08:31 PM
I'm trying to deploy ldap authentication (MS AD) for router vty login. I used manual like this - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html
But my scenario was unlucky
My config is...
_____
aaa new-model
!
!
aaa group server ldap ad1
server test
!
aaa authentication login default group ad1 local
aaa authorization exec default if-authenticated
!
skip...
!
ldap attribute-map map1
map type sAMAccountName username
!
ldap server test
ipv4 172.16.107.145
attribute map map1
timeout retransmit 20
bind authenticate root-dn CN=Administrator,CN=users,DC=fabrikam,dc=com password 7 02050D480809
base-dn CN=users,DC=fabrikam,dc=com
_____
instead of "ldap attribute-map map1" I tried to use "search-filter user-object-type name". No effect
I used wireshark to sniffer packets from cisco to AD. No packets to AD port (389 or 3268) have been captured.
I used debug ldap all
That's output
*Jun 9 19:38:45.414: LDAP: LDAP: Queuing AAA request 117 for processing
*Jun 9 19:38:45.414: LDAP: Received queue event, new AAA request
*Jun 9 19:38:45.414: LDAP: LDAP authentication request
*Jun 9 19:38:45.414: LDAP: No attributes to check username sanity
*Jun 9 19:38:45.414: LDAP: Username/Password sanity check failed!!
*Jun 9 19:38:45.414: LDAP: LDAP doesn't suport interactive login
Note last string. Is it mean that I cannot use ldap for this purpose?
What I do wrong?
Thank's!
Solved! Go to Solution.
06-10-2013 10:14 AM
LDAP support on IOS is limited to VPN authentication and unfortunately, cannot be used for Admin (exec) authentication.
CSCug65194 Document LDAP nonsupport for login authentication
AAA does not support using an LDAP method for interactive login authentication. Customers may configure "aaa authentication login default group ldap", but when an interactive (terminal) session tries to authenticate using LDAP, the
following message is syslogged:
"LDAP: LDAP doesn't support [sic] interactive login"
This is due to the following check in ldap_authen_req() aaa/ldap/src/ldap_main.c:
if (intf && intf->tty) {
LDAP_EVENT("LDAP doesn't suport interactive login");
ldap_method_failover(proto_req);
Jatin Katyal
- Do rate helpful posts -
06-09-2013 11:54 PM
could you provide the o/p of
show ldap server all
Also, where did you take captures?
Have you tried checking the connction with softerra browser?
Jatin Katyal
- Do rate helpful posts -
06-10-2013 12:33 AM
Jatin, thanks for answer.
That's output of
show ldap server all
Server Information for test
================================
Server name :test
Server IP :172.16.107.145
Server listening Port :389
Bind Root-dn :CN=Administrator,CN=users,DC=fabrikam,dc=com
Server mode :Non-Secure
Cipher Suite :0x00
Authentication Seq :Search first. Then Bind/Compare password next
Authentication Procedure:Bind with user password
Base-Dn :CN=users,DC=fabrikam,dc=com
Attribute map :map1
Request timeout :20
---------------------------------
* LDAP STATISTICS *
Total messages [Sent:0, Received:0]
Response delay(ms) [Average:0, Maximum:0]
Total search [Request:0, ResultEntry:0, ResultDone:0]
Total bind [Request:0, Response:0]
Total extended [Request:0, Response:0]
Total compare [Request:0, Response:0]
Search [Success:0, Failures:0]
Bind [Success:0, Failures:0]
Missing attrs in Entry [0]
----------------------------------
No. of active connections
Captures I did on MS AD (LDAP) server 172.16.107.145
via ldap browser I haven't tried, but It's next step for troubleshooting.
as I said in previous message there aren't any packets from cisco to LDAP server. Why?
06-10-2013 07:21 AM
Are you able to ping the LDAP server? Also, could you please try the below listed commend from the router:
telnet 172.16.107.145 389
We need to install ldap browser and see if that can connect.
Jatin Katyal
- Do rate helpful posts -
06-10-2013 08:23 AM
R1-nord#telnet 172.16.107.145 389
Trying 172.16.107.145, 389 ... Open
^]
[Connection to 172.16.107.145 closed by foreign host]
R1-nord#
Ping, also, successful.
Why do we need ldap browser? I can install it and test connection, but I think result will be the same - OK.
So as can we see there aren't any problem with network connection between server and router
Problem is router not send request to server. And it's not clear for me.
06-10-2013 10:14 AM
LDAP support on IOS is limited to VPN authentication and unfortunately, cannot be used for Admin (exec) authentication.
CSCug65194 Document LDAP nonsupport for login authentication
AAA does not support using an LDAP method for interactive login authentication. Customers may configure "aaa authentication login default group ldap", but when an interactive (terminal) session tries to authenticate using LDAP, the
following message is syslogged:
"LDAP: LDAP doesn't support [sic] interactive login"
This is due to the following check in ldap_authen_req() aaa/ldap/src/ldap_main.c:
if (intf && intf->tty) {
LDAP_EVENT("LDAP doesn't suport interactive login");
ldap_method_failover(proto_req);
Jatin Katyal
- Do rate helpful posts -
06-10-2013 09:10 PM
Jatin, Thank you!
This is exactly what I was looking for
So for exec authentication if I want to use LDAP I should use radius?
02-27-2015 07:28 PM
thanks
06-21-2019 06:54 AM
Hi Jatin,
Quick question, so that means "enable login using LDAP accounts" on IOS 15M&T is not possible.
End goal is to login using LDAP.
-Regards,
Kevin Monteiro
06-11-2013 02:19 AM
You may use tacacs or radius. With Tacacs you would have more control on user access as it also support command authorization whereas radius does't.
Jatin katyal
*Do rate helpful posts*
Sent from Cisco Technical Support Android App
06-13-2013 12:41 AM
Let me know if you have any further questions.
Jatin Katyal
- Do rate helpful posts -
06-13-2013 01:03 AM
No, I have no any questions
We use radius and it suits us
Thank's a lot again.
06-13-2013 01:10 AM
Thanks for the update. I'd appreciate if you can mark this thread as resolved so that it can be used by others for the similar issue.
Jatin Katyal
- Do rate helpful posts -
06-13-2013 01:23 AM
How to mark this thread as resolved?
I see only how to mark reply as correct and I did it for one your reply
06-13-2013 01:27 AM
I think you already marked it.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide