ASA 5510. MS-ADS and password management

Unanswered Question
Sep 15th, 2009
User Badges:

Hello,


i've a Asa 5510 configured with webvpn and Authentication over an MS-ADS-Server Windows 2003. Authentication is working perfectly, but password-management doesn't works correctly.

If the user password expires in 14 days, he gets an Password-change dialog. He can click cancel and gets an "Login failed", although the password isn't expired. If he enters a new password, he gets always an error saying, the pw doesn't match the password policy. Also, if i disable the password policy in ADS completely.

Here a bit debugging info:


[88] Session Start

[88] New request Session, context 0xd7d24220, reqType = Modify Password

[88] Fiber started

[88] Creating LDAP context with uri=ldaps://msads:636

[88] Connect to LDAP server: ldaps://msads:636, status = Successful

[88] supportedLDAPVersion: value = 3

[88] supportedLDAPVersion: value = 2

[88] Binding as asa

[88] Performing Simple authentication for asalookup to msads

[88] LDAP Search:

Base DN = [ou=Mitarbeiter,dc=rp]

Filter = [sAMAccountName=testuser]

Scope = [SUBTREE]

[88] User DN = [CN=testuser,OU=Mitarbeiter,DC=rp]

[88] Talking to Active Directory server msads

[88] Reading password policy for testuser, dn:CN=testuser,OU=Mitarbeiter,DC=rp

[88] Read bad password count 0

[88] Fiber exit Tx=809 bytes Rx=10792 bytes, status=-1

[88] Session End


I also tried, to give the user administrator-permissions, but doesn't help.

any further ideas?


regards,


tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 09/15/2009 - 09:48
User Badges:
  • Gold, 750 points or more

ASA version?

related config?

seibertmedia Tue, 09/15/2009 - 23:55
User Badges:

fw01# show version


Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)


Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"


fw01 up 5 days 15 hours


Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0022.909d.xxxx, irq 9

1: Ext: Ethernet0/1 : address is 0022.909d.xxxx, irq 9

2: Ext: Ethernet0/2 : address is 0022.909d.xxxx, irq 9

3: Ext: Ethernet0/3 : address is 0022.909d.xxxx, irq 9

4: Ext: Management0/0 : address is 0022.909d.xxxx, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 10

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled


This platform has an ASA 5510 Security Plus license.



And here some relevant config-snippets:



tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group ads LOCAL

default-group-policy smedia-default

password-management

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization smedia

tunnel-group testwizard type remote-access

tunnel-group testwizard general-attributes

authentication-server-group ads

authentication-server-group (Proxy) ads

authorization-server-group ads

default-group-policy testgrouppolicy

password-management

authorization-required


tunnel-group smedia type remote-access

tunnel-group smedia general-attributes

address-pool smedia

authentication-server-group ads LOCAL

default-group-policy smedia

password-management

tunnel-group smedia webvpn-attributes

proxy-auth sdi

group-alias smedia enable




group-policy DfltGrpPolicy attributes

vpn-idle-timeout 60

vpn-session-timeout 1440

vpn-tunnel-protocol IPSec webvpn

group-lock value DefaultWEBVPNGroup

webvpn

url-list value smedia-default

filter value smedia-default

http-proxy enable

customization value smedia

activex-relay disable

file-entry disable

file-browsing disable


group-policy smedia internal

group-policy smedia attributes

dns-server value 192.168.0.3

vpn-tunnel-protocol IPSec webvpn

group-lock value smedia

webvpn

customization value smedia



aaa-server ads protocol ldap

aaa-server ads (internal) host msads

server-port 636

ldap-base-dn ou=Mitarbeiter,DC=rp

ldap-group-base-dn OU=Sicherheitsgruppen,DC=rp

ldap-scope subtree

ldap-login-password xxx

ldap-login-dn CN=asa,OU=Extern,OU=Mitarbeiter,DC=rp

ldap-over-ssl enable

server-type microsoft




Yudong Wu Wed, 09/16/2009 - 13:19
User Badges:
  • Gold, 750 points or more

Not sure if it is a bug. I did a quick search but did not find one.

You might open a TAC case with "debug ldap 255" for further investigation.

shoffarth Fri, 09/24/2010 - 08:50
User Badges:

Did you find a resolution to this issue?  I'm configuring an ASA

5510 for the first time and experiencing the same problem.


Thank you!



Edit: In my case the problem was related to the AD account I was using for authentication; it was a read only account.  The account needs the ability to change passwords.

Actions

This Discussion