Configuring ASA for LDAP lookup

Answered Question
Nov 16th, 2009

Hi Guys,

I am trying to set up my ASA 500 to authenticate remote users against our internal Domain Controllers.

I have found a guide on the net which has advised me how to create an AAA Server group which tests out to query the servers fine.

I have then created a Connection profile which uses the new AAA group for authentication.

However, I am a bit confused as the details that need to be entered in to the Cisco VPN client.

I enter the group name and password but get an error in the syslog saying that the tunnel group nae is unknown.

Can any one point me in the right direction?

Thanks again

Mario De Rosa

I have this problem too.
0 votes
Correct Answer by hdashnau about 7 years 3 weeks ago

Collect the debugs on the ASA:

debug cry isa 127

debug cry ipsec 127

Collect the VPN client logs (set to 3-high for all)

If you see anything about invalid hash theres still a problem with the password you have configured.

Even if you dont see a problem with the hash the above logs should give you an idea why its failing. Not everything will make sense to someone who doesnt read these all day, but just try to glance them over and see if you see anything that jumps out or compare them to a working set of logs and you should be able to find the problem.

-heather

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
hdashnau Mon, 11/16/2009 - 07:08

It sounds like you created a new tunnel-group in order to apply the authentication server.

If you are using the IPSec client, you need to click on your profile and hit "modify" and change the group authentication section. The group-name would be the name of the tunnel-group/connection profile on the ASA (show run tunnel) and the group-password would be the pre-shared-key key that you defined in the tunnel-group/connection profile ipsec-attributes section.

If you are using AnyConnect, you need to enable the group-drop-down list or a group-url in order to get the client to connect using the new tunnel group:

conf t

webvpn

tunnel-group-list enable

tunnel-group webvpn

group-alias mynewgroup enable

-heather

marioderosa2008 Mon, 11/16/2009 - 07:21

Thanks for the reply heather.

I have double checked that I am typing in the group name and pre shared key correctly. But i am still missing something.

Is there anything you think that I may be missing?

Do you know of any other guides out there that may help me?

Mario

Correct Answer
hdashnau Mon, 11/16/2009 - 08:45

Collect the debugs on the ASA:

debug cry isa 127

debug cry ipsec 127

Collect the VPN client logs (set to 3-high for all)

If you see anything about invalid hash theres still a problem with the password you have configured.

Even if you dont see a problem with the hash the above logs should give you an idea why its failing. Not everything will make sense to someone who doesnt read these all day, but just try to glance them over and see if you see anything that jumps out or compare them to a working set of logs and you should be able to find the problem.

-heather

marioderosa2008 Mon, 11/16/2009 - 08:06

sorted that out now heather thanks.

I am now having a slight issue with the firewall not being able to forward a DHCP request to my dhcp server inside my internal LAN.

On the connection profile I have entered the IP address of my internal DHCP server.

I have also set a global DHCP relay server and set the Outside interface to act as a DHCP relay.

Is that right?

WHen i monitor an incomming VPN connection it advises that there are "no viable DHCP servers found for tunnel group"

ANy Ideas? I cannot actually tell whether the dhcp relay is working.

Would I have to confgure any firewall rules to allow DHCP requests/replies to and from the internal LAN???

Mario

hdashnau Mon, 11/16/2009 - 08:43

Please rate the authentication post answer if it resolved the issue.

This DHCP question shouldve been posted in a new topic thread so others are able to easily find it if they also need help on the same thing.

About "I have also set a global DHCP relay server and set the Outside interface to act as a DHCP relay. Is that right?"

You should not configure a DHCP relay server for the VPN (please remove it if possible).

The only things needed to get dhcp working for the VPN are

1) Defining the DHCP server in the group and

2) Making sure that "vpn-addr-assign dhcp" is enabled (show run all | i vpn-addr-assign dhcp)

and 3) (optional) set up a network-scope in the group-policy on the ASA if you want to assign an address from a particular range on the dhcp server.

Here is more information about DHCP for vpn laid out in a pretty format:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K12412196

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

-heather

marioderosa2008 Mon, 11/16/2009 - 08:50

Hi Heather,

so,

I have to remove the DHCP Relay agent on the outside interface AND the global setting?

I have already defined the internal IP of the DHCP server in the Connection profile, so thats OK.

is there a way of making the vpn-addr-assign dhcp setting enabled in the ASDM?? I do not have telnet access at the moment.

do i have to set up the network scope on the ASA as well as my internal DHCP server.

COnfused or what!!

Sorry.

marioderosa2008 Tue, 11/17/2009 - 08:38

removing the DHCP relay agent on both the outside interface AND as a global setting has resolved this issue with DHCP address not being assigned.

No i have a problem with the VPN throughput, but thats in another post.

Thanks Heather!

Actions

This Discussion