cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7818
Views
0
Helpful
4
Replies

ASA LDAP authentication ('username or password is blank')

philipplant
Level 1
Level 1
Hi folks,

I was hoping someone might be able to suggest what I may be doing wrong here.  My ASA5505 8.2(2)
is configured for remote VPN access using L2TP over IPsec.  Phases 1 and 2 complete correctly but
authentication fails.

When I debug LDAP while trying to establish the VPN, I get this:

[61] Session Start
[61] New request Session, context 0xd82eda50, reqType = Authentication
[61] Fiber started
[61] Failed: The username or password is blank
[61] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[61] Session End
Resetting 172.20.0.3's numtries
ERROR: Invalid password

I don't understand where the 'username or password is blank' error comes from, as neither is blank.
When I test the same server entry using the built-in 'test aaa-server authentication' command it all
works fine!

Some snips of config:

aaa-server x protocol ldap
aaa-server x (inside) host 172.20.0.3
 timeout 5
 server-port 389
 ldap-base-dn dc=x,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=uid,cn=users,dc=x,dc=local

tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group x
 default-group-policy DefaultRAGroup

Any assistance would be greatly appreciated.

Thanks,

Philip
1 Accepted Solution

Accepted Solutions

Philip,

Only PAP authentication is supported if you configure LDAP server for authentication.

Change authentication to PAP and try.

tunnel-group DefaultRAGroup ppp-attributes
authentication pap

Check this Link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html



Dileep

View solution in original post

4 Replies 4

Hi Philip,

Specify the server type in your LDAP config.


eg :  server-type microsoft


Another setting may help is to specify the interface to which ldap server is connected on your tunnel-group setting.


authentication-server-group (interface) ldap-ip-address


The successful authentication debug looks like this


10121] Session Start
[10121] New request Session, context 0xd24f87c0, reqType = Authentication
[10121] Fiber started
[10121] Creating LDAP context with uri=ldap://172.50.2.184:389
[10121] Connect to LDAP server: ldap://172.50.2.184:389, status = Successful
[10121] supportedLDAPVersion: value = 3
[10121] supportedLDAPVersion: value = 2
[10121] Binding as administrator
[10121] Performing Simple authentication for administrator to 172.50.2.184
[10121] LDAP Search:
        Base DN = [dc=domain, dc=com]
        Filter  = [sAMAccountName=test]
        Scope   = [SUBTREE]
[10121] User DN = [CN=test,CN=Users,DC=DOMAIN,DC=COM]
[10121] Talking to Active Directory server 172.50.2.184
[10121] Reading password policy for test, dn:CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] Read bad password count 0
[10121] Binding as test
[10121] Performing Simple authentication for test to 172.50.2.184
[10121] Processing LDAP response for user test
[10121] Message (test):
[10121] Authentication successful for test to 172.50.2.184
[10121] Retrieved User Attributes:
[10121]         objectClass: value = top
[10121]         objectClass: value = test
[10121]         objectClass: value = organizationalPerson
[10121]         objectClass: value = user
[10121]         cn: value = test
[10121]         givenName: value = test
[10121]         distinguishedName: value = CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121]         instanceType: value = 4
[10121]         whenCreated: value = 20071001100525.0Z
[10121]         whenChanged: value = 20071014045721.0Z
[10121]         displayName: value = test
[10121]         uSNCreated: value = 2519419
[10121]         uSNChanged: value = 2519419
[10121]         name: value = test
[10121]         objectGUID: value = C......C.AE...B4
[10121]         userAccountControl: value = 512
[10121]         badPwdCount: value = 0
[10121]         codePage: value = 0
[10121]         countryCode: value = 0
[10121]         badPasswordTime: value = 1290808633452
[10121]         lastLogon: value = 1290861501515234234
[10121]         pwdLastSet: value = 12899712312310
[10121]         primaryGroupID: value = 513
[10121]         objectSid: value = ...............9.u.<6.......
[10121]         accountExpires: value = 922337202321
[10121]         logonCount: value = 633
[10121]         sAMAccountName: value = test
[10121]         sAMAccountType: value = 8053062312
[10121]         userPrincipalName: value = test@domain.COM
[10121]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
[10121]         dSCorePropagationData: value = 1601010100231200.0Z
[10121] Fiber exit Tx=532 bytes Rx=2305 bytes, status=1
[10121] Session End

And also check for any VPN ACL configured on outside interface (if any).


Dileep

Thanks for the reply, I've tried your suggestions but unfortunately am still
seeing this problem.  Wireshark on the LDAP server shows normal transactions
when I run the 'test aaa-server' command, but I see no packets arrive on the
LDAP server when I try to establish a VPN.

Here are some more edited hightlights from my config.  I'd like to use LDAP
over SSL in due course, but for now it's plaintext to help debugging:

aaa-server x-LDAP protocol ldap
aaa-server x-LDAP (inside) host 172.20.0.1
 timeout 5
 server-port 389
 ldap-base-dn dc=x,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=x,cn=users,dc=x,dc=local
 server-type microsoft
 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport

crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN
crypto map IPSECMap interface outside

crypto isakmp policy 119
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.20.0.1
 dns-server value 172.20.0.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 ipsec-udp enable
 default-domain value x.local
tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group (outside) x-LDAP
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

aaa debug output during VPN setup:

Resetting 0.0.0.0's numtries

[14] Session Start
[14] New request Session, context 0xd82edbc0, reqType = Authentication
[14] Fiber started
[14] Failed: The username or password is blank
[14] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[14] Session End
Resetting 172.20.0.1's numtries
ERROR: Invalid password

Any assistance would be gratefully received!

Thanks,

Philip

Philip,

Only PAP authentication is supported if you configure LDAP server for authentication.

Change authentication to PAP and try.

tunnel-group DefaultRAGroup ppp-attributes
authentication pap

Check this Link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html



Dileep

I noticed that this post seems to be the only one when looking something regarding

 

[61] Fiber started
[61] Failed: The username or password is blank

So I deceived to shared my solution, this usually will happens if the anyconnect image it is not mapped/installed.

Please make sure you have a valid anyconnect image on the flash and that is configured on the webvpn

 

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 3

 

Hope this helps.

Rolando A. Valenzuela

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: