01-21-2010 07:56 PM - edited 03-11-2019 10:00 AM
Hi folks, I was hoping someone might be able to suggest what I may be doing wrong here. My ASA5505 8.2(2) is configured for remote VPN access using L2TP over IPsec. Phases 1 and 2 complete correctly but authentication fails. When I debug LDAP while trying to establish the VPN, I get this: [61] Session Start [61] New request Session, context 0xd82eda50, reqType = Authentication [61] Fiber started [61] Failed: The username or password is blank [61] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3 [61] Session End Resetting 172.20.0.3's numtries ERROR: Invalid password I don't understand where the 'username or password is blank' error comes from, as neither is blank. When I test the same server entry using the built-in 'test aaa-server authentication' command it all works fine! Some snips of config: aaa-server x protocol ldap aaa-server x (inside) host 172.20.0.3 timeout 5 server-port 389 ldap-base-dn dc=x,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=uid,cn=users,dc=x,dc=local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group x default-group-policy DefaultRAGroup Any assistance would be greatly appreciated. Thanks, Philip
Solved! Go to Solution.
01-22-2010 11:44 PM
Philip,
Only PAP authentication is supported if you configure LDAP server for authentication.
Change authentication to PAP and try.
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Check this Link
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
Dileep
01-21-2010 11:38 PM
Hi Philip,
Specify the server type in your LDAP config.
eg : server-type microsoft
Another setting may help is to specify the interface to which ldap server is connected on your tunnel-group setting.
authentication-server-group (interface) ldap-ip-address
The successful authentication debug looks like this
10121] Session Start
[10121] New request Session, context 0xd24f87c0, reqType = Authentication
[10121] Fiber started
[10121] Creating LDAP context with uri=ldap://172.50.2.184:389
[10121] Connect to LDAP server: ldap://172.50.2.184:389, status = Successful
[10121] supportedLDAPVersion: value = 3
[10121] supportedLDAPVersion: value = 2
[10121] Binding as administrator
[10121] Performing Simple authentication for administrator to 172.50.2.184
[10121] LDAP Search:
Base DN = [dc=domain, dc=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[10121] User DN = [CN=test,CN=Users,DC=DOMAIN,DC=COM]
[10121] Talking to Active Directory server 172.50.2.184
[10121] Reading password policy for test, dn:CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] Read bad password count 0
[10121] Binding as test
[10121] Performing Simple authentication for test to 172.50.2.184
[10121] Processing LDAP response for user test
[10121] Message (test):
[10121] Authentication successful for test to 172.50.2.184
[10121] Retrieved User Attributes:
[10121] objectClass: value = top
[10121] objectClass: value = test
[10121] objectClass: value = organizationalPerson
[10121] objectClass: value = user
[10121] cn: value = test
[10121] givenName: value = test
[10121] distinguishedName: value = CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] instanceType: value = 4
[10121] whenCreated: value = 20071001100525.0Z
[10121] whenChanged: value = 20071014045721.0Z
[10121] displayName: value = test
[10121] uSNCreated: value = 2519419
[10121] uSNChanged: value = 2519419
[10121] name: value = test
[10121] objectGUID: value = C......C.AE...B4
[10121] userAccountControl: value = 512
[10121] badPwdCount: value = 0
[10121] codePage: value = 0
[10121] countryCode: value = 0
[10121] badPasswordTime: value = 1290808633452
[10121] lastLogon: value = 1290861501515234234
[10121] pwdLastSet: value = 12899712312310
[10121] primaryGroupID: value = 513
[10121] objectSid: value = ...............9.u.<6.......
[10121] accountExpires: value = 922337202321
[10121] logonCount: value = 633
[10121] sAMAccountName: value = test
[10121] sAMAccountType: value = 8053062312
[10121] userPrincipalName: value = test@domain.COM
[10121] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
[10121] dSCorePropagationData: value = 1601010100231200.0Z
[10121] Fiber exit Tx=532 bytes Rx=2305 bytes, status=1
[10121] Session End
And also check for any VPN ACL configured on outside interface (if any).
Dileep
01-22-2010 10:06 AM
Thanks for the reply, I've tried your suggestions but unfortunately am still seeing this problem. Wireshark on the LDAP server shows normal transactions when I run the 'test aaa-server' command, but I see no packets arrive on the LDAP server when I try to establish a VPN. Here are some more edited hightlights from my config. I'd like to use LDAP over SSL in due course, but for now it's plaintext to help debugging: aaa-server x-LDAP protocol ldap aaa-server x-LDAP (inside) host 172.20.0.1 timeout 5 server-port 389 ldap-base-dn dc=x,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=x,cn=users,dc=x,dc=local server-type microsoft crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN crypto map IPSECMap interface outside crypto isakmp policy 119 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 172.20.0.1 dns-server value 172.20.0.1 vpn-tunnel-protocol IPSec l2tp-ipsec ipsec-udp enable default-domain value x.local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group (outside) x-LDAP tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 aaa debug output during VPN setup: Resetting 0.0.0.0's numtries [14] Session Start [14] New request Session, context 0xd82edbc0, reqType = Authentication [14] Fiber started [14] Failed: The username or password is blank [14] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3 [14] Session End Resetting 172.20.0.1's numtries ERROR: Invalid password Any assistance would be gratefully received! Thanks, Philip
01-22-2010 11:44 PM
Philip,
Only PAP authentication is supported if you configure LDAP server for authentication.
Change authentication to PAP and try.
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Check this Link
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
Dileep
07-10-2018 03:52 PM
I noticed that this post seems to be the only one when looking something regarding
[61] Fiber started [61] Failed: The username or password is blank
So I deceived to shared my solution, this usually will happens if the anyconnect image it is not mapped/installed.
Please make sure you have a valid anyconnect image on the flash and that is configured on the webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 3
Hope this helps.
Rolando A. Valenzuela
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: