Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1211
Views
0
Helpful
4
Replies

Cisco 5508-X ldap issue

Jeffrey Jones
Level 5
Level 5

‎03-31-2020 01:12 PM

: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
!
ASA Version 9.12(3)

 

Anyconnect version is 4.8

 

ldap config

ldap attribute-map AM-ANYCONNECT-USERS
map-name memberOf Group-Policy
map-value memberOf CN=VPN_Users,OU=People,DC=blahblah,DC=com GroupPolicy_ANYCONNECT-PROFILE
aaa-server LDAP-SERVER protocol ldap
aaa-server LDAP-SERVER (inside) host 192.168.0.8
ldap-base-dn DC=blahblah,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_vpnadmin,OU=People,DC=meicompany,DC=com
server-type microsoft

 

error recieved testing

INFO: Attempting Authentication test to IP address (192.168.0.8) (timeout: 17 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

 

Anyhelp would be greatly appreciated

0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎03-31-2020 08:14 PM

Hi

 

Your LDAP config looks ok.

Are you getting the error while doing a test aaa from asa or when connecting to VPN?

 

First ensure you can authenticate correctly by testing your LDAP through ASDM or CLI (test aaa command).

If this test is ok, while connecting to VPN, can you run a debug aaa and debug ldap 255 and share the output in a text file?

Also can you share your anyconnect configuration?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Jeffrey Jones
Level 5
Level 5
In response to Francesco Molino

‎04-01-2020 06:55 AM

[-2147483601] New request Session, context 0x00007f16899b27c0, reqType = Authentication
[-2147483601] Fiber started
[-2147483601] Creating LDAP context with uri=ldap://192.168.0.8:389
[-2147483601] Connect to LDAP server: ldap://192.168.0.8:389, status = Successful
[-2147483601] supportedLDAPVersion: value = 3
[-2147483601] supportedLDAPVersion: value = 2
[-2147483601] Binding as ldap_vpnadmin
[-2147483601] Performing Simple authentication for ldap_vpnadmin to 192.188.0.8
[-2147483601] Simple authentication for ldap_vpnadmin returned code (49) Invalid credentials
[-2147483601] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483601] Fiber exit Tx=221 bytes Rx=726 bytes, status=-2
[-2147483601] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

 

ASA config

 

ldap attribute-map AM-ANYCONNECT-USERS
map-name memberOf Group-Policy
map-value memberOf CN=VPN_Users,OU=People,DC=blahblah,DC=com GroupPolicy_ANYCONNECT-PROFILE
aaa-server LDAP-SERVER protocol ldap
aaa-server LDAP-SERVER (inside) host 192.168.0.8
ldap-base-dn DC=meicompany,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap_vpnadmin,OU=People,DC=blahblah,DC=com
server-type microsoft

0 Helpful

Jeffrey Jones
Level 5
Level 5
In response to Jeffrey Jones

‎04-01-2020 04:27 PM

Got it fixed, did a lday query and found  that the CN was off for it.

 

Final question, is it possible have LDAP configured for a group, and also setup local users.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Jeffrey Jones

‎04-01-2020 06:22 PM

For authentication, if LDAP fails then you can lookup your Local user database. You can use the following command under your tunnel-group authentication-server-group LDAP-SERVER LOCAL

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card