01-21-2010 07:56 PM - edited 03-11-2019 10:00 AM
Hi folks, I was hoping someone might be able to suggest what I may be doing wrong here. My ASA5505 8.2(2) is configured for remote VPN access using L2TP over IPsec. Phases 1 and 2 complete correctly but authentication fails. When I debug LDAP while trying to establish the VPN, I get this: [61] Session Start [61] New request Session, context 0xd82eda50, reqType = Authentication [61] Fiber started [61] Failed: The username or password is blank [61] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3 [61] Session End Resetting 172.20.0.3's numtries ERROR: Invalid password I don't understand where the 'username or password is blank' error comes from, as neither is blank. When I test the same server entry using the built-in 'test aaa-server authentication' command it all works fine! Some snips of config: aaa-server x protocol ldap aaa-server x (inside) host 172.20.0.3 timeout 5 server-port 389 ldap-base-dn dc=x,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=uid,cn=users,dc=x,dc=local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group x default-group-policy DefaultRAGroup Any assistance would be greatly appreciated. Thanks, Philip
Solved! Go to Solution.
01-22-2010 11:44 PM
Philip,
Only PAP authentication is supported if you configure LDAP server for authentication.
Change authentication to PAP and try.
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Check this Link
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
Dileep
01-21-2010 11:38 PM
Hi Philip,
Specify the server type in your LDAP config.
eg : server-type microsoft
Another setting may help is to specify the interface to which ldap server is connected on your tunnel-group setting.
authentication-server-group (interface) ldap-ip-address
The successful authentication debug looks like this
10121] Session Start
[10121] New request Session, context 0xd24f87c0, reqType = Authentication
[10121] Fiber started
[10121] Creating LDAP context with uri=ldap://172.50.2.184:389
[10121] Connect to LDAP server: ldap://172.50.2.184:389, status = Successful
[10121] supportedLDAPVersion: value = 3
[10121] supportedLDAPVersion: value = 2
[10121] Binding as administrator
[10121] Performing Simple authentication for administrator to 172.50.2.184
[10121] LDAP Search:
Base DN = [dc=domain, dc=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[10121] User DN = [CN=test,CN=Users,DC=DOMAIN,DC=COM]
[10121] Talking to Active Directory server 172.50.2.184
[10121] Reading password policy for test, dn:CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] Read bad password count 0
[10121] Binding as test
[10121] Performing Simple authentication for test to 172.50.2.184
[10121] Processing LDAP response for user test
[10121] Message (test):
[10121] Authentication successful for test to 172.50.2.184
[10121] Retrieved User Attributes:
[10121] objectClass: value = top
[10121] objectClass: value = test
[10121] objectClass: value = organizationalPerson
[10121] objectClass: value = user
[10121] cn: value = test
[10121] givenName: value = test
[10121] distinguishedName: value = CN=test,CN=Users,DC=DOMAIN,DC=COM
[10121] instanceType: value = 4
[10121] whenCreated: value = 20071001100525.0Z
[10121] whenChanged: value = 20071014045721.0Z
[10121] displayName: value = test
[10121] uSNCreated: value = 2519419
[10121] uSNChanged: value = 2519419
[10121] name: value = test
[10121] objectGUID: value = C......C.AE...B4
[10121] userAccountControl: value = 512
[10121] badPwdCount: value = 0
[10121] codePage: value = 0
[10121] countryCode: value = 0
[10121] badPasswordTime: value = 1290808633452
[10121] lastLogon: value = 1290861501515234234
[10121] pwdLastSet: value = 12899712312310
[10121] primaryGroupID: value = 513
[10121] objectSid: value = ...............9.u.<6.......
[10121] accountExpires: value = 922337202321
[10121] logonCount: value = 633
[10121] sAMAccountName: value = test
[10121] sAMAccountType: value = 8053062312
[10121] userPrincipalName: value = test@domain.COM
[10121] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
[10121] dSCorePropagationData: value = 1601010100231200.0Z
[10121] Fiber exit Tx=532 bytes Rx=2305 bytes, status=1
[10121] Session End
And also check for any VPN ACL configured on outside interface (if any).
Dileep
01-22-2010 10:06 AM
Thanks for the reply, I've tried your suggestions but unfortunately am still seeing this problem. Wireshark on the LDAP server shows normal transactions when I run the 'test aaa-server' command, but I see no packets arrive on the LDAP server when I try to establish a VPN. Here are some more edited hightlights from my config. I'd like to use LDAP over SSL in due course, but for now it's plaintext to help debugging: aaa-server x-LDAP protocol ldap aaa-server x-LDAP (inside) host 172.20.0.1 timeout 5 server-port 389 ldap-base-dn dc=x,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=x,cn=users,dc=x,dc=local server-type microsoft crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN crypto map IPSECMap interface outside crypto isakmp policy 119 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 172.20.0.1 dns-server value 172.20.0.1 vpn-tunnel-protocol IPSec l2tp-ipsec ipsec-udp enable default-domain value x.local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group (outside) x-LDAP tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 aaa debug output during VPN setup: Resetting 0.0.0.0's numtries [14] Session Start [14] New request Session, context 0xd82edbc0, reqType = Authentication [14] Fiber started [14] Failed: The username or password is blank [14] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3 [14] Session End Resetting 172.20.0.1's numtries ERROR: Invalid password Any assistance would be gratefully received! Thanks, Philip
01-22-2010 11:44 PM
Philip,
Only PAP authentication is supported if you configure LDAP server for authentication.
Change authentication to PAP and try.
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Check this Link
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
Dileep
07-10-2018 03:52 PM
I noticed that this post seems to be the only one when looking something regarding
[61] Fiber started [61] Failed: The username or password is blank
So I deceived to shared my solution, this usually will happens if the anyconnect image it is not mapped/installed.
Please make sure you have a valid anyconnect image on the flash and that is configured on the webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 3
Hope this helps.
Rolando A. Valenzuela
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide