LDAP fails with error 49 invalid credentials but integration key and key have been verified


#1

Hello all,

I’ve created a AAA group in a Cisco ASA, and have double-verified that I’ve assigned the proper integration key and security key where needed. However, I am receiving a generic LDAP error 49: Invalid credentials, in the debug output of debug ldap 255 on the ASA.

Here is the debug output when attempting to authenticate with the AAA profile:

OURASA# debug ldap 255
debug ldap  enabled at level 255
OURASA# terminal monitor
OURASA#
[6786] Session Start
[6786] New request Session, context 0xafe22d24, reqType = Authentication
[6786] Fiber started
[6786] Creating LDAP context with uri=ldaps://IPofDuoLDAP:636
[6786] Connect to LDAP server: ldaps://IPofDuoLDAP:636, status = Successful
[6786] While getting rootDSE, LDAP server IPofDuoLDAP returned code (53) Server is unwilling to perform
[6786] This LDAP server does not support V3 protocol.
[6786] Binding as [The app's integration ID]
[6786] Performing Simple authentication for [The app's integration ID] to IPofDuoLDAP
[6786] Simple authentication for [The app's integration ID] returned code (49) Invalid credentials
[6786] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[6786] Fiber exit Tx=244 bytes Rx=51 bytes, status=-2
[6786] Session End

Note that because the ASA can’t effectively bind, I do not see any Authentication logs on the configured Duo application.

I have opened a support ticket, but are not satisfied with their turn around time and was wondering if anyone else has experienced this issue and if they can assist with a resolution.

Thanks,

Matt


#2

Hi Matt,

I’m working with our Support Team to get a response to you now.

Thanks,
Andrew


#3

#4

This is done after a call in to support.

Worth noting that the only thing I changed was shortened the username from user@domain.corp to user. We verified the AAA profile config and voila. It was good.

Thanks,

Matt

​​​​​


#5