LDAP Group Authentication Fails

Unanswered Question

Hi All,

I've just installed a new WSA S650 with AsyncOS 5.6.0-623. We have enabled group authentication with LDAP using an Active Directory W2K3 and we are facing a strange issue, randomly users are not being matched to his/her AD Group then Default Policy match blocking access to all categories by default.

This is an authentication log for the same user at different time, in the second one user wasn't able to surf. No changes were made on AD.


25/Mar/2009:20:02:31 -0600 DEBUG : PROX_AUTH : - : Auth Req: user=marisela.coutino
25/Mar/2009:20:02:32 -0600 DEBUG : PROX_AUTH : - : Auth Res: OK 2 internet_autenticados internet_directores rro,DC=com,DC=mx



25/Mar/2009:19:48:37 -0600 DEBUG : PROX_AUTH : - : Auth Req: user=marisela.coutino
25/Mar/2009:19:48:37 -0600 DEBUG : PROX_AUTH : - : Auth Res: OK


When i perform a policy trace all groups are showed for this user. Do you have any idea? Should I perform an update?

We had the same issue with another customer and it was solved using Asyncos 5.2. It's possible to perform a downgrade form 5.6 to 5.2?

Thank you in advance for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ravmadir Thu, 03/26/2009 - 10:01
User Badges:
  • Cisco Employee,

Authentication process is completely redone and handled in much better way in version 5.6 compared to prior versions. Infact, it would a good idea to upgrade to the latest version available 5.6.4-013.

You can use the "testauthconfig" CLI command to test authentication settings defined for a LDAP realm. If you do not notice success on all the test parameters, there is something wrong in the way authentication is configured. Mostly importantly, this test will confirm if WSA is able to fetch group information from AD server.

Hi Satish,

I ran "testauthconfig" and all seems be ok, but i still have problems since sometimes groups are not fetched. As workaround I have to add single users in access policy.

This is the testauthconfig output:


Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'wsa.ironports.fahorro.com.mx' address: 64.40.103.249

Checking DNS resolution of LDAP Server(s)...
Success: Resolved '172.20.33.82' address: 172.20.33.82
Success: Resolved '172.20.33.81' address: 172.20.33.81

Checking connectivity of LDAP Server(s)...
Success: Server '172.20.33.82' responding to queries on port 3268.
Success: Server '172.20.33.81' responding to queries on port 3268.

Checking the type of LDAP Server(s)...
Success: Able to query server information from '172.20.33.82'
Success: Able to query server information from '172.20.33.81'

Checking if Referrals are enabled...
Success: Referral option is disabled.

Attempting to fetch user information...
Success: Able to query for User Information from server '172.20.33.82'.Number of users exceeds 1000 or the server size limit.
Success: Able to query for User Information from server '172.20.33.81'.Number of users exceeds 1000 or the server size limit.

Attempting to fetch group information...
Success: Able to query for Group Information from server '172.20.33.82'.Number of groups fetched: 121.
Success: Able to query for Group Information from server '172.20.33.81'.Number of groups fetched: 121.
LDAP test complete

Is there any tool or trobleshooting available in order to findout what's happening?

jowolfer Fri, 03/27/2009 - 15:53
User Badges:

The group query is succeeding. I think the best thing to do would be to file a support ticket so we can analyze the exact settings and LDAP responses.

Actions

This Discussion