Had an issue with a user that was failing to log into the VPN from remote.  Couldn’t initially figure it out while at home while troubleshooting the authentication.  So here’s how to test authentication from the Cisco ASA CLI.

ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t

The blue highlights are values that need specified. If not sure of the AAA-SERVER, use the following command to list all the authentication servers.

ciscoasa# show aaa-server

This lists all the aaa-servers; to narrow it down, as in my case, I specified some additional arguments.

ciscoasa# show aaa-server authentication protocol nt

Here is a list of available protocols.

ciscoasa# show aaa-server protocol ?

  http-form  Protocol HTTP form-based
  kerberos   Protocol Kerberos
  ldap       Protocol LDAP
  nt         Protocol NT
  radius     Protocol RADIUS
  sdi        Protocol SDI
  tacacs+    Protocol TACACS+

So the output from showing the aaa-server type of NT is follows for me.

Server Group:    AUTH2K8
Server Protocol: nt
Server Address:  192.168.1.2
Server port:     139
Server status:   ACTIVE, Last transaction at 13:16:58 EDT Wed Mar 26 2014
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       435
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       389
Number of rejects                       31
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      15
Number of unrecognized responses        0

I used the highlighted values in my test case. Again, here is my command.

ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password sup3rs3cr3t
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful

My issue was actually related to a setting on the account profile in Active Directory restricting server logons which inherently prevented authentication from working.