ASA LDAP authentication ('username or password is blank')

Answered Question
Jan 21st, 2010
Hi folks,

I was hoping someone might be able to suggest what I may be doing wrong here.  My ASA5505 8.2(2)
is configured for remote VPN access using L2TP over IPsec.  Phases 1 and 2 complete correctly but
authentication fails.

When I debug LDAP while trying to establish the VPN, I get this:

[61] Session Start
[61] New request Session, context 0xd82eda50, reqType = Authentication
[61] Fiber started
[61] Failed: The username or password is blank
[61] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[61] Session End
Resetting 172.20.0.3's numtries
ERROR: Invalid password

I don't understand where the 'username or password is blank' error comes from, as neither is blank.
When I test the same server entry using the built-in 'test aaa-server authentication' command it all
works fine!

Some snips of config:

aaa-server x protocol ldap
aaa-server x (inside) host 172.20.0.3
 timeout 5
 server-port 389
 ldap-base-dn dc=x,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=uid,cn=users,dc=x,dc=local

tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group x
 default-group-policy DefaultRAGroup

Any assistance would be greatly appreciated.

Thanks,

Philip
I have this problem too.
0 votes
Correct Answer by Dileep Sivadas ... about 6 years 10 months ago
Philip,

Only PAP authentication is supported if you configure LDAP server for authentication.

Change authentication to PAP and try.

tunnel-group DefaultRAGroup ppp-attributes
authentication pap

Check this Link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html



Dileep
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Dileep Sivadas ... Thu, 01/21/2010 - 23:38

Hi Philip,

Specify the server type in your LDAP config.


eg :  server-type microsoft


Another setting may help is to specify the interface to which ldap server is connected on your tunnel-group setting.


authentication-server-group (interface) ldap-ip-address


The successful authentication debug looks like this


10121] Session Start
[10121] New request Session, context 0xd24f87c0, reqType = Authentication
[10121] Fiber started
[10121] Creating LDAP context with uri=ldap://172.50.2.184:389
[10121] Connect to LDAP server: ldap://172.50.2.184:389, status = Successful
[10121] supportedLDAPVersion: value = 3
[10121] supportedLDAPVersion: value = 2
[10121] Binding as administrator
[10121] Performing Simple authentication for administrator to 172.50.2.184
[10121] LDAP Search:
        Base DN = [dc=domain, dc=com]
        Filter  = [sAMAccountName=test]
        Scope   = [SUBTREE]
[10121] User DN = [CN=test,CN=Users,DC=DOMAIN,DC=COM]
[10121] Talking to Active Directory server 172.50.2.184
[10121] Reading password policy for test, dn:CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] Read bad password count 0
[10121] Binding as test
[10121] Performing Simple authentication for test to 172.50.2.184
[10121] Processing LDAP response for user test
[10121] Message (test):
[10121] Authentication successful for test to 172.50.2.184
[10121] Retrieved User Attributes:
[10121]         objectClass: value = top
[10121]         objectClass: value = test
[10121]         objectClass: value = organizationalPerson
[10121]         objectClass: value = user
[10121]         cn: value = test
[10121]         givenName: value = test
[10121]         distinguishedName: value = CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121]         instanceType: value = 4
[10121]         whenCreated: value = 20071001100525.0Z
[10121]         whenChanged: value = 20071014045721.0Z
[10121]         displayName: value = test
[10121]         uSNCreated: value = 2519419
[10121]         uSNChanged: value = 2519419
[10121]         name: value = test
[10121]         objectGUID: value = C......C.AE...B4
[10121]         userAccountControl: value = 512
[10121]         badPwdCount: value = 0
[10121]         codePage: value = 0
[10121]         countryCode: value = 0
[10121]         badPasswordTime: value = 1290808633452
[10121]         lastLogon: value = 1290861501515234234
[10121]         pwdLastSet: value = 12899712312310
[10121]         primaryGroupID: value = 513
[10121]         objectSid: value = ...............9.u.<6.......
[10121]         accountExpires: value = 922337202321
[10121]         logonCount: value = 633
[10121]         sAMAccountName: value = test
[10121]         sAMAccountType: value = 8053062312
[10121]         userPrincipalName: value = [email protected]
[10121]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
[10121]         dSCorePropagationData: value = 1601010100231200.0Z
[10121] Fiber exit Tx=532 bytes Rx=2305 bytes, status=1
[10121] Session End

And also check for any VPN ACL configured on outside interface (if any).


Dileep

philipplant Fri, 01/22/2010 - 10:06
Thanks for the reply, I've tried your suggestions but unfortunately am still
seeing this problem.  Wireshark on the LDAP server shows normal transactions
when I run the 'test aaa-server' command, but I see no packets arrive on the
LDAP server when I try to establish a VPN.

Here are some more edited hightlights from my config.  I'd like to use LDAP
over SSL in due course, but for now it's plaintext to help debugging:

aaa-server x-LDAP protocol ldap
aaa-server x-LDAP (inside) host 172.20.0.1
 timeout 5
 server-port 389
 ldap-base-dn dc=x,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=x,cn=users,dc=x,dc=local
 server-type microsoft
 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport

crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN
crypto map IPSECMap interface outside

crypto isakmp policy 119
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.20.0.1
 dns-server value 172.20.0.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 ipsec-udp enable
 default-domain value x.local
tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group (outside) x-LDAP
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

aaa debug output during VPN setup:

Resetting 0.0.0.0's numtries

[14] Session Start
[14] New request Session, context 0xd82edbc0, reqType = Authentication
[14] Fiber started
[14] Failed: The username or password is blank
[14] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[14] Session End
Resetting 172.20.0.1's numtries
ERROR: Invalid password

Any assistance would be gratefully received!

Thanks,

Philip
Correct Answer
Dileep Sivadas ... Fri, 01/22/2010 - 23:44
Philip,

Only PAP authentication is supported if you configure LDAP server for authentication.

Change authentication to PAP and try.

tunnel-group DefaultRAGroup ppp-attributes
authentication pap

Check this Link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html



Dileep

Actions

This Discussion