Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

LDAP authentication to AD for SSL VPN clients not quite working

Hello,

I'm trying to get SSL VPN users to authenticate to AD, I've tried many configuration examples on the web, all are different is some way but I've nearly got it working, as the "deb ldap 255" looks like its successful yet the AnyConnect displays "Login Failed"

Please see below and if you can suggest anything I'd much appriecte it

Regards Tony

Config....

ldap attribute-map OCT-VPN
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co.uk" GP-AllowVPN


aaa-server TEST_SERVER protocol ldap
aaa-server TEST_SERVER (inside) host 192.168.100.1
ldap-base-dn DC=customer,DC=co,DC=uk
ldap-group-base-dn CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=VPN Access,OU=Service Accounts,OU=IT,OU=London,DC=customer,DC=co,DC=uk
server-type microsoft
ldap-attribute-map OCT-VPN


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client

group-policy GP-AllowVPN internal
group-policy GP-AllowVPN attributes
dns-server value 192.168.100.1
vpn-simultaneous-logins 2
vpn-tunnel-protocol ssl-client
default-domain value customer.co.uk
webvpn
  anyconnect ask none

group-policy GP-DenyVPN internal
group-policy GP-DenyVPN attributes
vpn-simultaneous-logins 0

tunnel-group ACMEORG_SSL-VPN type remote-access
tunnel-group ACMEORG_SSL-VPN general-attributes
address-pool ACMEORGSSL_Pool
authentication-server-group TEST_SERVER LOCAL

authorization-server-group TEST_SERVER
default-group-policy GP-DenyVPN
tunnel-group ACMEORG_SSL-VPN webvpn-attributes
group-alias SSL-VPN enable
!


It looks ok but the AnyConnect client gets a "login failed" message!


[23] Session Start
[23] New request Session, context 0xcb23850c, reqType = Authentication
[23] Fiber started
[23] Creating LDAP context with uri=ldap://192.168.100.1:389
[23] Connect to LDAP server: ldap://192.168.100.1:389, status = Successful
[23] supportedLDAPVersion: value = 3
[23] supportedLDAPVersion: value = 2
[23] Binding as VPN Access
[23] Performing Simple authentication for VPN Access to 192.168.100.1
[23] LDAP Search:
        Base DN = [DC=customer,DC=co,DC=uk]
        Filter  = [sAMAccountName=test_permit]
        Scope   = [SUBTREE]
[23] User DN = [CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk]
[23] Talking to Active Directory server 192.168.100.1
[23] Reading password policy for test_permit, dn:CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] Read bad password count 0
[23] Binding as test_permit
[23] Performing Simple authentication for test_permit to 192.168.100.1
[23] Processing LDAP response for user test_permit
[23] Message (test_permit):
[23] Authentication successful for test_permit to 192.168.100.1
[23] Retrieved User Attributes:
[23]    objectClass: value = top
[23]    objectClass: value = person
[23]    objectClass: value = organizationalPerson
[23]    objectClass: value = user
[23]    cn: value = test_permit
[23]    givenName: value = test_permit
[23]    distinguishedName: value = CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23]    instanceType: value = 4
[23]    whenCreated: value = 20140129161810.0Z
[23]    whenChanged: value = 20140205152134.0Z
[23]    displayName: value = test_permit
[23]    uSNCreated: value = 17778031
[23]    memberOf: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23]            mapped to IETF-Radius-Class: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23]            mapped to LDAP-Class: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23]    uSNChanged: value = 17810714
[23]    name: value = test_permit
[23]    objectGUID: value = .f%o..ZK..2d.u..
[23]    userAccountControl: value = 512
[23]    badPwdCount: value = 0
[23]    codePage: value = 0
[23]    countryCode: value = 0
[23]    badPasswordTime: value = 130360918828015446
[23]    lastLogoff: value = 0
[23]    lastLogon: value = 130360918934996451
[23]    pwdLastSet: value = 130360082489276782
[23]    primaryGroupID: value = 513
[23]    userParameters: value = m:                    d.
[23]    objectSid: value = .............^)...y....[!...
[23]    accountExpires: value = 9223372036854775807
[23]    logonCount: value = 0
[23]    sAMAccountName: value = test_permit
[23]    sAMAccountType: value = 805306368
[23]    userPrincipalName: value = test_permit@customer.co.uk
[23]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=customer,DC=co,DC=uk
[23]    msNPAllowDialin: value = TRUE
[23]    lastLogonTimestamp: value = 130359170029583663
[23] Fiber exit Tx=634 bytes Rx=2744 bytes, status=1
[23] Session End

I typed an incorrect password here to see what the output looked like too....


[25] Session Start
[25] New request Session, context 0xcb23850c, reqType = Authentication
[25] Fiber started
[25] Creating LDAP context with uri=ldap://192.168.100.1:389
[25] Connect to LDAP server: ldap://192.168.100.1:389, status = Successful
[25] supportedLDAPVersion: value = 3
[25] supportedLDAPVersion: value = 2
[25] Binding as VPN Access
[25] Performing Simple authentication for VPN Access to 192.168.100.1
[25] LDAP Search:
        Base DN = [DC=customer,DC=co,DC=uk]
        Filter  = [sAMAccountName=test_permit]
        Scope   = [SUBTREE]
[25] User DN = [CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk]
[25] Talking to Active Directory server 192.168.100.1
[25] Reading password policy for test_permit, dn:CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[25] Read bad password count 0
[25] Binding as test_permit
[25] Performing Simple authentication for test_permit to 192.168.100.1
[25] Simple authentication for test_permit returned code (49) Invalid credentials
[25] Message (test_permit): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
[25] Invalid password for test_permit
[25] Fiber exit Tx=625 bytes Rx=2831 bytes, status=-1
[25] Session End

Any help appreicated

458
Views
0
Helpful
0
Replies
CreatePlease to create content