cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1396
Views
0
Helpful
4
Replies

ASA 5510. MS-ADS and password management

seibertmedia
Level 1
Level 1

Hello,

i've a Asa 5510 configured with webvpn and Authentication over an MS-ADS-Server Windows 2003. Authentication is working perfectly, but password-management doesn't works correctly.

If the user password expires in 14 days, he gets an Password-change dialog. He can click cancel and gets an "Login failed", although the password isn't expired. If he enters a new password, he gets always an error saying, the pw doesn't match the password policy. Also, if i disable the password policy in ADS completely.

Here a bit debugging info:

[88] Session Start

[88] New request Session, context 0xd7d24220, reqType = Modify Password

[88] Fiber started

[88] Creating LDAP context with uri=ldaps://msads:636

[88] Connect to LDAP server: ldaps://msads:636, status = Successful

[88] supportedLDAPVersion: value = 3

[88] supportedLDAPVersion: value = 2

[88] Binding as asa

[88] Performing Simple authentication for asalookup to msads

[88] LDAP Search:

Base DN = [ou=Mitarbeiter,dc=rp]

Filter = [sAMAccountName=testuser]

Scope = [SUBTREE]

[88] User DN = [CN=testuser,OU=Mitarbeiter,DC=rp]

[88] Talking to Active Directory server msads

[88] Reading password policy for testuser, dn:CN=testuser,OU=Mitarbeiter,DC=rp

[88] Read bad password count 0

[88] Fiber exit Tx=809 bytes Rx=10792 bytes, status=-1

[88] Session End

I also tried, to give the user administrator-permissions, but doesn't help.

any further ideas?

regards,

tom

4 Replies 4

Yudong Wu
Level 7
Level 7

ASA version?

related config?

fw01# show version

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

fw01 up 5 days 15 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0022.909d.xxxx, irq 9

1: Ext: Ethernet0/1 : address is 0022.909d.xxxx, irq 9

2: Ext: Ethernet0/2 : address is 0022.909d.xxxx, irq 9

3: Ext: Ethernet0/3 : address is 0022.909d.xxxx, irq 9

4: Ext: Management0/0 : address is 0022.909d.xxxx, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 10

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5510 Security Plus license.

And here some relevant config-snippets:

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group ads LOCAL

default-group-policy smedia-default

password-management

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization smedia

tunnel-group testwizard type remote-access

tunnel-group testwizard general-attributes

authentication-server-group ads

authentication-server-group (Proxy) ads

authorization-server-group ads

default-group-policy testgrouppolicy

password-management

authorization-required

tunnel-group smedia type remote-access

tunnel-group smedia general-attributes

address-pool smedia

authentication-server-group ads LOCAL

default-group-policy smedia

password-management

tunnel-group smedia webvpn-attributes

proxy-auth sdi

group-alias smedia enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 60

vpn-session-timeout 1440

vpn-tunnel-protocol IPSec webvpn

group-lock value DefaultWEBVPNGroup

webvpn

url-list value smedia-default

filter value smedia-default

http-proxy enable

customization value smedia

activex-relay disable

file-entry disable

file-browsing disable

group-policy smedia internal

group-policy smedia attributes

dns-server value 192.168.0.3

vpn-tunnel-protocol IPSec webvpn

group-lock value smedia

webvpn

customization value smedia

aaa-server ads protocol ldap

aaa-server ads (internal) host msads

server-port 636

ldap-base-dn ou=Mitarbeiter,DC=rp

ldap-group-base-dn OU=Sicherheitsgruppen,DC=rp

ldap-scope subtree

ldap-login-password xxx

ldap-login-dn CN=asa,OU=Extern,OU=Mitarbeiter,DC=rp

ldap-over-ssl enable

server-type microsoft

Not sure if it is a bug. I did a quick search but did not find one.

You might open a TAC case with "debug ldap 255" for further investigation.

shoffarth
Level 1
Level 1

Did you find a resolution to this issue?  I'm configuring an ASA

5510 for the first time and experiencing the same problem.

Thank you!

Edit: In my case the problem was related to the AD account I was using for authentication; it was a read only account.  The account needs the ability to change passwords.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: