My boss is currently working to move us to our ASA for VPN access and he encountered a weird problem that did not allow him to log in successfully. I don't know how applicable this is to you, but the gist of it is that the length of the string returned to the ASA containing his group memberships were too long for the default Kerberos configuration. He opened a support ticket and the Cisco tech, through debugging logs, was able to see a message indicating that the Kerberos response had exceed the maximum number of characters. Cisco changed our configuration to use LDAP authentication to remedy this. However, they did say that the Kerberos configuration could also be modified to permit this if we wanted to do that in the future.
We are also using AD for authentication and not the local database option. HTH, Joe From: David Lum [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 4:49 PM To: NT System Admin Issues Subject: RE: Cisco ASA Thanks! I'll forward this on and see if it helps him. Dave From: Jason Morris [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 1:44 PM To: NT System Admin Issues Subject: RE: Cisco ASA Ahhh. That makes more sense. I started with the baseline group from the ASA box. Which means, my users are in the DefaultRAGroup with that password setup in the Cisco client. Then I configured the AD portion on the ASA per this link: http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a00808c3c45.shtml Which also requires the AD to have the Remote Access Permission set to "Allow Access" on the AD account. Without that, they'll get bounced. After initiating the connection they put in their username and password on the domain and viola. If it's STILL not working, I'd suggest running ldp.exe and logging in with the credentials he's putting in the AAA Server config. That'll verify if it's able to connect for the lookups into AD. Good luck, Jason From: David Lum [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 3:31 PM To: NT System Admin Issues Subject: RE: Cisco ASA I know he's referring to Active Directory accounts, because he asked what kind of AD changes I've made in the last week, so I assumed it was finding an account in AD and looking up group membership. Thanks, David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Jason Morris [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 1:24 PM To: NT System Admin Issues Subject: RE: Cisco ASA Using the windows client or Cisco client? For the Cisco client I'll assume he's using the local database? Username and password are case-sensitive there...obviously. Have him turn the debugging on ASDM to warnings which will get the errors he's taking to at least show up and allow him to separate the wheat from the chaff. Most of those you can type right into google and get a fairly good answer, or at least point in the right direction. Good luck. J Jason From: David Lum [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 3:05 PM To: NT System Admin Issues Subject: Cisco ASA Trying to help an fellow co-worker, he's working on configuring a Cisco ASA (dunno what model). This guy doesn't like to ask for help (read: he hasn't asked me to help, I'm just seeing if I can find something easy) but he is troubleshooting the following symptom: "The ASA looks for group membership when determining what policy to load. It's finding the correct membership, but fails to logon the user." I know that's thin information, but is there any intelligent question I can ask him to help his troubleshooting? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ------------------------------------------------------------------------ ------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ------------------------------------------------------------------------ ------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
