EAP Auth problems....

Hello
I'm trying to do EAP-TLS and for some reason every time I start authentication, the first time it tries, it fails with this error message:
EAP retry limit reached for Station (StationName)
And then almost exactly 1 minute later, it will try to auth again and this time, it usually works fine. Any ideas. Thanks

Jason, I feel your pain but I think I know your answer. The newest client software stores your credentials. If you go into ACU and edit your profile you will see, if you scroll down, a listing for Username, Password, and Domain. You will find that your user name is filled in after you login the first time but not your password. What happens the next time you login, I think, is that the client tries to log you in with the incomplete credentials and only after it fails will it come up and ask you for you to enter them. When you enter them you are then given access to the network and allowed to reach the DHCP server. If your remove all credential info from your profile it will ask you to login immediately. If you enter all three you will be logged in automatically, which of course has major security issues. Remove all traces of credential info from your profile and try it. Let me know.

Similar Messages

  • 1200, ACS 3.1 and EAP Auth Problem

    Hi,
    I try configure LEAP auth with ACS using local database. I configures just like say in the Cisco Security Suite 2.0 Doc. For some reason Leap auth sometimes work sometimes don't work. Thanks if anyone could help me.

    Is this the document you used? can you share the problems you faced??

  • EAP-AUTH-AAA-ERROR: Reply received on stale handle

    Hi,
    I try to deploy 802.1x EAP-TLS in Lab enviroment with ACS 4.2 and
    Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(46)SE
    If I use the PEAP, it is working, but if EAP-TLS, then nothing show in logs on ACS, but error message.
    EAP-AUTH-AAA-ERROR: Reply received on stale handle (0x00000000)
    If I switch Network Access Profile to another one w/o EAP-TLS then in log I get
    12/10/2009 10:23:21 Authen failed [email protected] Default Group XX-XX-XX-XX-XX-XX, other, EAP type not configured
    What could be a problem?

    Problem was solved by migration of whole ACS to another server with 4.2.0.124 Patch 12.

  • ISE - Multiple Issuing Subordinate CAs for EAP Auth?

    Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.
    As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

    Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.
    My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?
    In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs

  • Wlc 2100 with local eap auth

    Hello
    I have set up an wlc 2125 with local eap auth which I think is working fine for now.
    But I dont want it come up a certificate warning when user log in.
    Can I stop this from happening without bying a certificate?
    Can I turn of https all together?
    Trond

    Thank you Trond,
    So here we are talking about web authentication, which does not use local EAP, so not sure whether the local EAP profile is really being triggered for that.
    Clients are being prompted with a WLC's self-signed certificate, more or less in the same way as they would be if they tried to login to the WLC via HTTPS.
    Similarly, the fastest way would be to install this certificate on the user's machine, so that it can trust it from that moment on.
    Or you can generate a certificate signing request for the WLC, submit it to a root CA/buy a root CA signed server certificate (with the root CA trusted by the clients) and then install this certificate on the WLC:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    For web authentication, there is no way to switch to HTTP for the WLC's certificate validation.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • EAP-TLS and MS AD auth problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

  • ACS 3.3 for windows - Win AD and eap-tls problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    Hi,
    This is what is interesting,
    AuthenProcessResponse: process response for 'phd' against Windows Database
    Unknown User 'phd' was not authenticated
    Done RQ1027, client 50, status -2125
    The field that is being picked from certificate has the value 'phd', check you check which field is it.
    And was the logging at full?, I think something is missing in the logs.
    Lets do a sanity check, and go through following link again,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
    Regards,
    Prem

  • Cisco ACS 5.1 Machine Auth Problem

    Hi All,
    I have a query regarding ACS 5.1 using EAP-PEAP (machine auth plus user name and password). I have successfully setup AD authentication using Machine auth and user credentials and this works ok for corporate wireless devices and users.
    My ACS rules are machine auth against AD computers which gives a positive/pass, then a rule against user but ensuring the device is a valid domain device with "was machine authenticated = TRUE".
    The problem is when using a Windows 7 device (laptop) and logging in using the local admin account I successfully connect to the network but the local Admin account is not in AD. By default the W7 wireless adapter under security>advanced settings> specify authentication mode is computer authentication only.The W7 client doesn't send over any user credentials?
    Has anyone come across this problem before? Do I need to tweek the W7 clients via GP or is there a way of stopping just machine authentication with out a valid user name and password?
    Realy appreciate any responses and thank you in advance. 
    Jason

    check out
    http://technet.microsoft.com/en-us/library/dd759219.aspx

  • ITunes auth problem on Windows 7 64-bit

    Hi,
    I experience weird issues with the iTunes auth-process on a Windows 7 (64bit) machine.
    When I try to authorize my computer it results in a message telling me something about connection issues. Anyhow, it seems the computer is kind of activated since I can deauth my computer. If I try auth'in my computer several times, it also allows to deauth it several times until it says that it is not auth'd anymore.
    My tries so far to solve this
    - updated to latest iTunes
    - deactivated, even uninstalled firewall (used NIS2011), also disabled the Windows Firewall after that
    - checked hosts file
    - deleted SC Info
    - even tried with creating new library
    - disabled User Access Control in Windows
    - disabled all startup items in "msconfig"
    - tried to activate with same account a different computer in the same network, I was able to play movies using the private home sharing feature, also activation was no problem
    - re-installed Apple Software (including iTunes, Quicktime and Safari)
    - checked Diagnostic within iTunes with no problems
    So my guess is that it could have something to do with 64 bit or any hard- or software related issue at my computers side.
    Detailed procedure:
    1 - Start iTunes, click Store > Authorize > Enter credentials
    and now the weird thing is that the "authorize" button says "deauthorize", no matter how often I try to deauthorize before.
    2 - Repeated step 1 since it says always the same error message (connectivity alert)
    3 - Playback of any DRM protected media does not work (movies). It asks for authorization again but fails to do so with the same message again
    4 - Deauthorizing is possible and I noticed that I can do this as many times as I tried to authorize before.
    Does anyone have a suitable idea for helping me out in this issue? I never had problems on my mac before, nor on a Windows 7 32bit system.
    My 64 bit machine is only used with one iTunes account.
    I already contacted the iTunes Support via Mail but they could not help me since this could be a technical issue.
    Any help is much appreciated.
    Thanks in advance,
    Benjamin

    After numerous calls with Apple support, I finally got it working
    For me, the problem was the following:
    1. Make sure that Internet Explorer is your standard browser for windows (if not...make it)!
    2. In Internet Explorer go to "Internet Options" then "Advanced"
    3. In the list scroll down to "Security" and UNCHECK "Check for server certificate revocation"
    4. Make sure that (a bit further down) "Use SSL 3.0" and "Use TLS 1.0" are CHECKED.
    5. Delete the "SC Info" folder once again... 
    6. Run iTunes in Admin-Mode
    After that, I was able to activate my computer and I changed my browser back to Firefox afterwards...
    Hope that will help you too !!
    Cheers

  • Wired EAP-TLS Problems

    I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
    My current setup is:
    FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
    Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
    Laptop - OpenSUSE 10.2
    I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
    "select * from nas" (comma seperated to make it easier):
    id,nasname,shortname,type,ports,secret,community,description
    1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
    wpa_supplicant.conf on laptop:
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    ap_scan=0
    network={
    key_mgmt=IEEE8021X
    identity="SUSE Laptop"
    eapol_flags=0
    eap=TLS
    ca_cert="/home/evosys/Documents/cacert.pem"
    client_cert="/home/evosys/Documents/suse_cert.pem"
    private_key="/home/evosys/Documents/suse_key.pem"
    private_key_passwd="<password>"
    Outputs of the radiusd and wpa_supplicant are attached...

    Based on this:
    TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
    Shelly

  • EAP-TLS problems Windows XP

    We are using Cisco ACS 4.1 for Windows RADIUS server, Windows 2003 PKI, 3750 access switch and Windows XP SP 3 workstations.
    Problem is that users with user certificate can loging successful by 802.1x. When user logs in without user certificate (but with computer certificate) no record will be written in ACS log. Windows tells that authentication is not ok. But client keeps ip address form successful computer authentication. After a few minutes, the connection will be dropped.
    AuthMode is set to 2 in Windows. At first there will be computer auth, then user auth takes place. Why does the computer keeps the ip address from successful computer auth ? We want to put the computer in aut-fail VLAN. But that doesn't happen...

    Do you see same issue with SP2 ?
    Here is important information about dot1x configured on XP SP3.
    You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3
    http://support.microsoft.com/kb/953650
    Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
    http://support.microsoft.com/kb/949984/
    Regards,
    ~JG

  • EAP-TLS problems with Cisco AP541N and Server 2008 NPS

    Hi,
    I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
    I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
    Oct 18 15:42:58
    info
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
    Oct 18 15:42:58
    warn
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
    Oct 18 15:42:58
    info
    hostapd
    The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
    NPS logs this:
    Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
    Netzwerkrichtlinienname: XXXXXX
    Authentifizierungsanbieter: Windows
    Authentifizierungsserver: XXXXX
    Authentifizierungstyp: EAP
    EAP-Typ: -
    Kontositzungs-ID: -
    Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode: 22
    Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
    I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
    I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
    Did anybody encounter something like this before? Or just knows what to do?
    Thanks in advance
    Lenni

    Joe:
    Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
    EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
    PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
    for PEAP-MSCHAPv2, Your options are:
    - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
    - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
    - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
    You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Guest WLAN Web Auth problem

    Was just wondering whether anyone else had seen this problem as it is defeating TAC right now…
    We have a number of 4402 WLCs on various sites and another one in a DMZ acting as an anchor controller for the guest network. We’re using just the basic web auth built into the WLC for access out on to the Internet for visiting third parties. All the EOIP stuff is setup and working and all clients can associate and get an IP address.
    All clients get redirected to the authentication page and all clients appear to authenticate successfully. With the exception of a few clients, at this stage most get stuck and cannot browse the web; the pages just time out. All other Internet traffic (SSH, TELNET, SMTP, ICMP) works fine once authenticated , just not HTTP/HTTPS.
    We have upgraded the WLCs to the latest code on the advice of TAC (6.0.196) but this made no difference. The problem seems to happen on all OSs (Mac, XP, Vista, Windows 7, Ubuntu, iPhone) and all browsers (IE6, IE7, IE8, Safari, Firefox, Chrome). We have tried upgrading drivers and changing browser settings, but nothing seems to help. We have working XP laptops and non-working XP latops; it just doesn’t make any sense.
    The attached packet capture shows a non-working laptop and the only thing I noticed was very large window sizes (512k) which seems a bit odd.
    Any ideas?
    Thanks

    hi there
    apparently i have a fix for the issue, it has just been tested for over 8 hours and my computer running wireless on windows 7 never disconected anymore (and i don't have either quick 1 second hangs anymore)....HOW????? it was the wireless driver!!
    my computer has an Atheros 928x wireless card and i was running version 8.0.0... (can't remember the exact version) which as far as i know was the version bundled with the original installation alhough i dont remember if i had an update from somewhere else... anyway. i did this:
    1. went to device manager, clicked on the wireless card, clicked delete, then confirm with the box about deletion of the software connected with the device.... then clicked on "scan for hardware changes" - in theory i wanted to update the driver with another .exe i downloaded but i thought let's give a go... and long story short, win 7 found in "his" files another suitable driver, probably the "generic" one, but nevertheless works as a charm, driver version is 2.0.0.74, driver date 09/06/2009, driver provider: microsoft, digital signer: microsoft windows, driver name : Atheros AR928X Wireless Network Adapter.
    if you need more info about the driver let me know!
    gabrio

  • MMP Client Certificate Auth problem

    Hi, All!
    I can't configure clients cert auth through MMP. I'm using the most recent release of communicationsuite (7u2) .
    Proxy auth for clear imap using admin settings like StoreAdmin and StoreAdminPass works well.
    MMP for unencrypted IMAP works well too.
    However MMP for clents certificate auth does not work.
    I see the following message in the log
    [19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Alert: dmap_locate_basedn called with baseDN uid=monakhv, ou=people, o=dvatest.ot,o=isp
    [19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Debug: (id 554) User '[email protected]' replay user '[email protected]'
    [19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
    I would appreciate any ideas to recover it.
    Regards, Monk.

    cnewman wrote:
    For the MMP, the MMP's StoreAdmin setting has to exactly match the administrative user. The log error you see:
    This is from my ImapProxyAService.cfg
    default:StoreAdmin admin
    default:StoreAdminPass enz.ZIM137
    [19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
    This is really strange message for me. Some experiment with mail client (Thunderbird) shows that
    one '[email protected]' goes from user ssl certificate email field which is used for auth, another '[email protected]' goes from
    user name field from Thunderbird server settings.
    May be the problem is for mail client configuration?
    Anyway I do not want to provide for users Admins certificate and password!
    Is it possible to configure MMP authorization using user's SSL certificate?
    indicates that the value of the MMP's StoreAdmin setting is something other than '[email protected]', so the request for proxy authentication is denied.
    It seems odd that the authentication id and the authorization id is identical in this case, but I'd have to see the actual AUTH EXTERNAL protocol as well as your StoreAdmin setting to explain further.How can I get AUTH EXTERNAL protocol?

  • CE565/CE7325 with MS LDAP Auth - Problem

    Once again seems I am the first one to use a new product. I have a CE565 that I am trying to get to work with MS LDAP. Anyone had any luck doing this? Cisco TAC is having difficult time tracing down problem.
    ce565#sho ldap
    LDAP Configuration:
    LDAP Authentication is enabled
    Allow mode: disabled
    Base DN: DC=domain,DC=com
    Filter: <none>
    Retransmits: 2
    Timeout: 5 seconds
    UID Attribute: uid
    Group Attribute: memberOf
    Administrative DN: <none>
    Administrative Password: <none>
    LDAP version: 3
    LDAP port: 389
    Server Status
    192.168.99.7 primary
    <none> secondary
    ce565#debug authe http
    Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2498 ***pam_ldap: Begin
    Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2502 *** pam_ldap: Got username ralldread
    Apr 24 22:44:56 ce565 http_authmod: _pam_ldap_get_session:1977 *** pam_ldap: Begin
    Apr 24 22:44:56 ce565 http_authmod: _read_config:570 ***pam_ldap: Reading configuration
    Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1928 ***pam_ldap: === Host[0] 192.168.99.7 ===
    Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1851 ***pam_ldap: Connecting...
    Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1867 ***pam_ldap: Socket timeout 5
    Apr 24 22:44:56 ce565 http_authmod: ldap_server_isalive:1891 ***pam_ldap: Connected to 192.168.99.7
    Apr 24 22:44:56 ce565 http_authmod: ldap_server_validate:1948 ***pam_ldap: ServerAlive [1] (up=1, down=0)
    Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2508 *** pam_ldap: Got session
    Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2519 *** pam_ldap: Do authentication
    Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1672 *** pam_ldap: Begin user ralldread
    Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1059 *** pam_ldap: Host 192.168.99.7
    Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1063 *** pam_ldap: Open session
    Apr 24 22:44:56 ce565 http_authmod: _open_session:927 *** pam_ldap: Begin
    Apr 24 22:44:56 ce565 http_authmod: _connect_anonymously:1074 *** pam_ldap: Binding...
    Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1676 *** pam_ldap: Connected anonymously
    Apr 24 22:44:56 ce565 http_authmod: _get_user_info:1699 *** pam_ldap: Filter (uid=ralldread)
    Apr 24 22:44:56 ce565 http_authmod: pam_sm_authenticate:2522 *** pam_ldap: Done authentication FAILURE
    Any thoughts?

    I got it working. I did 2 things. One, I rebuilt the the server to make sure Active Directory was working correctly. Two, I changed the DC=domain to be dc=domain. I havent had a chance to test which one actually fixed it, but here it the config that I am using.
    ce565#sho run
    device mode content-engine
    hostname ce565
    http authentication header 407
    http authentication cache timeout 1
    http authentication cache max-entries 32000
    http proxy incoming 8888
    clock timezone EST -5 0
    ip domain-name demodomain
    https proxy incoming 8888
    interface GigabitEthernet 1/0
    ip address 10.10.220.71 255.255.255.0
    exit
    interface GigabitEthernet 2/0
    shutdown
    exit
    ip default-gateway 10.10.220.1
    primary-interface GigabitEthernet 1/0
    no auto-register enable
    ip name-server 10.10.220.80
    pre-load enable
    pre-load depth-level-default 2
    pre-load resume
    pre-load traverse-other-domains
    pre-load url-list-file ftp://ftpuser:[email protected]/ce-preload.txt
    transaction-logs enable
    transaction-logs log-windows-domain
    transaction-logs archive interval every-hour every 10
    transaction-logs sanitize
    transaction-logs export enable
    transaction-logs export interval every-hour every 10
    transaction-logs export ftp-server 10.10.220.80 ftpuser ftpuser /
    transaction-logs format extended-squid
    username admin password 1 bVmDmMMmZAPjY
    username admin privilege 15
    ldap server base "dc=demodomain"
    ldap server userid-attribute cn
    ldap server host 10.10.220.80 primary
    ldap server administrative-dn "cn=administrator,cn=users,dc=demodomain"
    ldap server administrative-passwd ****
    ldap server active-directory-group enable
    ldap server version 3
    ldap server enable
    authentication login local enable primary
    authentication configuration local enable primary
    url-filter http smartfilter enable
    cdm ip 10.10.220.70
    cms enable

Maybe you are looking for