01-13-2017 10:31 AM
Hello all,
I’ve created a AAA group in a Cisco ASA, and have double-verified that I’ve assigned the proper integration key and security key where needed. However, I am receiving a generic LDAP error 49: Invalid credentials, in the debug output of debug ldap 255
on the ASA.
Here is the debug output when attempting to authenticate with the AAA profile:
OURASA# debug ldap 255
debug ldap enabled at level 255
OURASA# terminal monitor
OURASA#
[6786] Session Start
[6786] New request Session, context 0xafe22d24, reqType = Authentication
[6786] Fiber started
[6786] Creating LDAP context with uri=ldaps://IPofDuoLDAP:636
[6786] Connect to LDAP server: ldaps://IPofDuoLDAP:636, status = Successful
[6786] While getting rootDSE, LDAP server IPofDuoLDAP returned code (53) Server is unwilling to perform
[6786] This LDAP server does not support V3 protocol.
[6786] Binding as [The app's integration ID]
[6786] Performing Simple authentication for [The app's integration ID] to IPofDuoLDAP
[6786] Simple authentication for [The app's integration ID] returned code (49) Invalid credentials
[6786] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[6786] Fiber exit Tx=244 bytes Rx=51 bytes, status=-2
[6786] Session End
Note that because the ASA can’t effectively bind, I do not see any Authentication logs on the configured Duo application.
I have opened a support ticket, but are not satisfied with their turn around time and was wondering if anyone else has experienced this issue and if they can assist with a resolution.
Thanks,
Matt
Solved! Go to Solution.
01-13-2017 11:27 AM
This is done after a call in to support.
Worth noting that the only thing I changed was shortened the username from user@domain.corp
to user
. We verified the AAA profile config and voila. It was good.
Thanks,
Matt
01-13-2017 11:17 AM
Hi Matt,
I’m working with our Support Team to get a response to you now.
Thanks,
Andrew
01-13-2017 11:27 AM
This is done after a call in to support.
Worth noting that the only thing I changed was shortened the username from user@domain.corp
to user
. We verified the AAA profile config and voila. It was good.
Thanks,
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: