Had an issue with a user that was failing to log into the VPN from remote. Couldn’t initially figure it out while at home while troubleshooting the authentication. So here’s how to test authentication from the Cisco ASA CLI.
ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t
The blue highlights are values that need specified. If not sure of the AAA-SERVER, use the following command to list all the authentication servers.
ciscoasa# show aaa-server
This lists all the aaa-servers; to narrow it down, as in my case, I specified some additional arguments.
ciscoasa# show aaa-server authentication protocol nt
Here is a list of available protocols.
ciscoasa# show aaa-server protocol ?
http-form Protocol HTTP form-based
kerberos Protocol Kerberos
ldap Protocol LDAP
nt Protocol NT
radius Protocol RADIUS
sdi Protocol SDI
tacacs+ Protocol TACACS+
So the output from showing the aaa-server type of NT is follows for me.
Server Group: AUTH2K8 Server Protocol: nt Server Address: 192.168.1.2 Server port: 139 Server status: ACTIVE, Last transaction at 13:16:58 EDT Wed Mar 26 2014 Number of pending requests 0 Average round trip time 0ms Number of authentication requests 435 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 389 Number of rejects 31 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 15 Number of unrecognized responses 0
I used the highlighted values in my test case. Again, here is my command.
ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password s3cr3t INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) ERROR: Authentication Rejected: AAA failure ciscoasa# test aaa-server authentication AUTH2K8 host 192.168.1.2 username rkreider password sup3rs3cr3t INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds) INFO: Authentication Successful
My issue was actually related to a setting on the account profile in Active Directory restricting server logons which inherently prevented authentication from working.
