ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Saturday 30 April 2016

How to enable a aaa-server on ASA if it has failed?

  April 30, 2016    

How to verify the status of a aaa-server configure on ASA?

sh aaa-server
============================
Server Group:    Test
Server Protocol: radius
Server Address:  10.60.2.6
Server port:     1645(authentication), 1646(accounting)
Server status:   FAILED, Server disabled
 ==============================
Failed servers only reactivate after all of the servers in the group are inactive.

If the server is now available, test ping from ASA. Then we can enable it by following command:

aaa-server Test active host 10.60.2.6

If you want to disable a aaa-server, use following:
 aaa-server Test fail host 10.60.2.6
 
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558160
 

  No Comments

Thursday 14 April 2016

User authentication fails with ldap, how debugs will look like?

  April 14, 2016    

This is how the debugs for ldap user authentication will look like:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: awesome\test
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483639] Session Start
[-2147483639] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483639] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483639] supportedLDAPVersion: value = 3
[-2147483639] supportedLDAPVersion: value = 2
[-2147483639] Binding as awesome\aduser
[-2147483639] Performing Simple authentication for awesome\aduser to 192.168.1.4
[-2147483639] LDAP Search:
        Base DN = [DC=awesome,DC=ca]
        Filter  = [sAMAccountName=awesome\\test]
        Scope   = [SUBTREE]
[-2147483639] Search result parsing returned failure status
[-2147483639] Fiber exit Tx=259 bytes Rx=1023 bytes, status=-1
[-2147483639] Session End
ERROR: Authorization Rejected: Unspecified


This definitely means either username is wrong or password. There is one more case : Username doesn't exist :)

Share/like/google+ if this has helped you!

  No Comments

LDAP Admin bind failed debugs

  April 14, 2016    

This is how the debugs will look like if LDAP admin bind fails:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: raj
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483640] Session Start
[-2147483640] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483640] Fiber started
[-2147483640] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483640] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483640] supportedLDAPVersion: value = 3
[-2147483640] supportedLDAPVersion: value = 2
[-2147483640] Binding as aduser
[-2147483640] Performing Simple authentication for aduser to 192.168.1.4
[-2147483640] Simple authentication for aduser returned code (49) Invalid credentials
[-2147483640] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483640] Fiber exit Tx=205 bytes Rx=723 bytes, status=-2
[-2147483640] Session End
ERROR: Authorization Server not responding: AAA Server has been removed

 Remember: If admin bind fails it will clearly say "Failed to bind as administrator"

Below was the configuration during this test:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn "CN=aduser,CN=Users,DC=norseman,DC=ca"
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


I changed the ldap-login-dn to domain\username. The new configuration looks like:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn awesome\aduser
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


Share/like/google+ if this has helped you! 

  1 Comment

Subscribe to: Posts (Atom)