TSHOOT:
Kod: Zaznacz cały
B-ASA5505(config)#
[306] Session Start
[306] New request Session, context 0xcc94f2a8, reqType = Authentication
[306] Fiber started
[306] Creating LDAP context with uri=ldap://192.168.100.100:389
[306] Connect to LDAP server: ldap://192.168.100.100:389, status = Successful
[306] supportedLDAPVersion: value = 3
[306] supportedLDAPVersion: value = 2
[306] Binding as LDAP
[306] Performing Simple authentication for LDAP to 192.168.100.100
[306] LDAP Search:
Base DN = [DC=***]
Filter = [sAMAccountName=mixthoor]
Scope = [SUBTREE]
[306] Search result parsing returned failure status
[306] Fiber exit Tx=266 bytes Rx=894 bytes, status=-1
[306] Session End
W ASDM Real Log widze:
Kod: Zaznacz cały
6 Jul 17 2015 12:41:18 113005 AAA user authentication Rejected : reason = Unspecified : server = 192.168.100.100 : user = ***** : user IP = x.x.x.x
Czyli probuje mnie autentykowac przez AD.
************
UPDATE:
W ASA mam:
LOCAL If all servers in the server group have been deactivated,
authentication will be done against the local database
Co dokladnie oznacza "have been deactivated"?
***********
UPDATE 2:
authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command, available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.
Nie mam mozliwosci wylaczenia AD, ale wypieprzylem konfiguracje aaa-server, wrzucilem na nowo z innym adresem IP i przetestowalem - przy nawiazywaniu polaczenia ASA autentykuje usera na podstawie lokalnej bazy danych. Najwazniejsze pytanei dla mnie: Co dzieje sie w przypadku, gdy ASA posiada prawidlowa konfiguracje aaa-server (z poprawnym IP), AD lezy, a w lokalnej bazie sa lokalni uzytkownicy. Nie mam mozliwosci przetestowania tego, a czy ktos z Was to juz przerabial?