01-13-2017 10:31 AM
Hello all,
I’ve created a AAA group in a Cisco ASA, and have double-verified that I’ve assigned the proper integration key and security key where needed. However, I am receiving a generic LDAP error 49: Invalid credentials, in the debug output of debug ldap 255
on the ASA.
Here is the debug output when attempting to authenticate with the AAA profile:
OURASA# debug ldap 255
debug ldap enabled at level 255
OURASA# terminal monitor
OURASA#
[6786] Session Start
[6786] New request Session, context 0xafe22d24, reqType = Authentication
[6786] Fiber started
[6786] Creating LDAP context with uri=ldaps://IPofDuoLDAP:636
[6786] Connect to LDAP server: ldaps://IPofDuoLDAP:636, status = Successful
[6786] While getting rootDSE, LDAP server IPofDuoLDAP returned code (53) Server is unwilling to perform
[6786] This LDAP server does not support V3 protocol.
[6786] Binding as [The app's integration ID]
[6786] Performing Simple authentication for [The app's integration ID] to IPofDuoLDAP
[6786] Simple authentication for [The app's integration ID] returned code (49) Invalid credentials
[6786] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[6786] Fiber exit Tx=244 bytes Rx=51 bytes, status=-2
[6786] Session End
Note that because the ASA can’t effectively bind, I do not see any Authentication logs on the configured Duo application.
I have opened a support ticket, but are not satisfied with their turn around time and was wondering if anyone else has experienced this issue and if they can assist with a resolution.
Thanks,
Matt
Solved! Go to Solution.
01-13-2017 11:27 AM
This is done after a call in to support.
Worth noting that the only thing I changed was shortened the username from user@domain.corp
to user
. We verified the AAA profile config and voila. It was good.
Thanks,
Matt
01-13-2017 11:17 AM
Hi Matt,
I’m working with our Support Team to get a response to you now.
Thanks,
Andrew
01-13-2017 11:27 AM
This is done after a call in to support.
Worth noting that the only thing I changed was shortened the username from user@domain.corp
to user
. We verified the AAA profile config and voila. It was good.
Thanks,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide