Solved: AAA LDAP Configuration for VPN

ciscoisist · ‎12-09-2010

Preface: I am brand new to Cisco Configuration and learning as I go.

I am at the LDAP configuration stage of configuring a VPN on ASA 5520, software version 8.3(1). Having previously setup and tested RADIUS authentication with success, I sought to use similar logic in setting up LDAP authentication/authorization. I acquired a service account that would query the AD for the entered user credentials. My primary resource has been the following manual: Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.3. I had initially done the configurations using ASDM, but could not get testing to succeed. So I blew away the ASDM configs and went to the CLI. Following is the configuration.

aaa-server AAA_LDAP protocol ldap
aaa-server AAA_LDAP (inside) host 10.20.30.40
server-port 636
ldap-base-dn domain.ad
ldap-scope subtree
ldap-naming-attribute uid
ldap-login-password 8 *******
ldap-login-dn cn=commonname,ou=ou01,ou=ou02,dc=domain,dc=ad
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAP_ATTRIB

---

tunnel-group ASA_DEFAULT type remote-access
tunnel-group ASA_DEFAULT general-attributes
authorization-server-group AAA_LDAP

---

ldap attribute-map LDAP_ATTRIB
map-name MemberOf IETF-Radius-Class
map-value MemberOf "VPN Users" asa_default

---

I have tested every ldap-naming-attribute alternative listed with the same results.

When I test Authentication using this configuration, I get the following error: ERROR: Authentication Server not responding: AAA Server has been removed

When I test Authorization using this configuration, I get the same error (except for the word Authorization instead of Authentication).

I am at a complete loss. Any assistance would be appreciated.

Tarik Admani · ‎12-10-2010

I would use ldp.exe to see if you can make sure that the sytnax of your ldap-login-dn is just like you have it in your config, it really helps by just copying and pasting.

The problem I see is the following:

[210] Binding as st_domadm
[210] Performing Simple authentication for st_domadm to 10.20.30.30
[210] Simple authentication for st_domadm returned code (49) Invalid credenti als
[210] Failed to bind as administrator returned code (-1) Can't contact LDAP serv er

I assume that your ldap-login-dn is st_domadm and you are trying to test with the administrator account?

Thanks,

Tarik

View solution in original post

Tarik Admani · ‎12-09-2010

Check the configuration for your ldap-base-dn.

I am sure it should be set to dc=domain,dc=ad

Also check the case of your attribute map I would match the tunnel group that you are are trying to map your users to.

You can also run debug ldap 255 to see how everything is going during your test.

Let me know if that fixes your issue.

Thanks,

Tarik Admani

ciscoisist · ‎12-09-2010

Thanks for the response. I put the ldap-base-dn into fqdn format (dc=domain,dc=ad).

I have most of my named items in all caps for visibility, at least for the moment. Can't really see anything on those.

The debug mode shows bad credentials on the service account (output below). I took the md5 config out just to minimize confusion. The service account is configured as a Domain User. One of the manuals suggested that read access on the AD would suffice; another (the CLI Command Reference) said an admin account would be needed. These results are from a Domain Admin account that I use, or so I thought. I'm going to try upping the creds on the service account to see if that works. I'll post the results. Thanks again.

INFO: Attempting Authorization test to IP address <10.20.30.30> (timeout: 12 s econds)

[210] Session Start
[210] New request Session, context 0x738cdba8, reqType = Other
[210] Fiber started
[210] Creating LDAP context with uri=ldaps://10.20.30.30:636
[210] Connect to LDAP server: ldaps://10.20.30.30:636, status = Successful
[210] supportedLDAPVersion: value = 3
[210] supportedLDAPVersion: value = 2
[210] Binding as st_domadm
[210] Performing Simple authentication for st_domadm to 10.20.30.30
[210] Simple authentication for st_domadm returned code (49) Invalid credenti als
[210] Failed to bind as administrator returned code (-1) Can't contact LDAP serv er
[210] Fiber exit Tx=225 bytes Rx=565 bytes, status=-2
[210] Session End
ERROR: Authorization Server not responding: AAA Server has been removed

Tarik Admani · ‎12-10-2010

I would use ldp.exe to see if you can make sure that the sytnax of your ldap-login-dn is just like you have it in your config, it really helps by just copying and pasting.

The problem I see is the following:

[210] Binding as st_domadm
[210] Performing Simple authentication for st_domadm to 10.20.30.30
[210] Simple authentication for st_domadm returned code (49) Invalid credenti als
[210] Failed to bind as administrator returned code (-1) Can't contact LDAP serv er

I assume that your ldap-login-dn is st_domadm and you are trying to test with the administrator account?

Thanks,

Tarik

ciscoisist · ‎12-13-2010

You are correct. The second test was run with a domain admin account after the service account failed. I'm going to try adjusting the service account credentials to see if that does anything for it.

Thanks

ciscoisist · ‎12-13-2010

We have success. The service account worked without having to elevate its permissions beyond Domain Users. As it turns out, the account has a common name that is different than its login name. I had been using the login name as the CN. Once I switched it to the common name, all was well.

The debug ldap command was a huge help. Thanks for that tool. Thanks for all your help.

ST

Herlander Stock · ‎06-06-2014

I have a ASA 5520 authenticating Remote Access VPN users using RADIUS running on a windows 2003 server. That works well no issue.

Now I want to use the same server to authenticate login users (SSH) using RADIUS it is working but, not only users that I've placed on a specific AD Group but everyone in AD (that I don't want). So I thought maybe using LDAP can accomplish the SSH authentication using specific group since through LDAP you specify CN, DC, etc.

From the ASA I can ping the RADIUS/LDAP server I already configure the ASA to use LDAP, here the configuration:

hostname(config)# aaa-server LDAPSERVERS protocol LDAP
hostname(config-aaa-server-group)# aaa-server LDAPSERVERS (inside) host 192.168.1.201
hostname(config-aaa-server-host)# ldap-base-dn cn=Mia,dc=intermexwire,dc=com
hostname(config-aaa-server-host)#ldap-scope subtree
hostname(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
hostname(config-aaa-server-host)#ldap-login-password *********
hostname(config-aaa-server-host)#ldap-login-dn cn=administrator,cn=Users,dc=intermexwire,dc=com
hostname(config-aaa-server-host)#server-type auto-detect
hostname(config-aaa-server-host)#test aaa-server authentication LDAPSERVERS host 192.168.1.201 username user01 password ********

ERROR: Authentication Server not responding: AAA Server has been removed

I'm getting this error while testing LDAP server from the ASA, so I don't what I'm doing wrong.