09-15-2009 06:30 AM
Hello,
i've a Asa 5510 configured with webvpn and Authentication over an MS-ADS-Server Windows 2003. Authentication is working perfectly, but password-management doesn't works correctly.
If the user password expires in 14 days, he gets an Password-change dialog. He can click cancel and gets an "Login failed", although the password isn't expired. If he enters a new password, he gets always an error saying, the pw doesn't match the password policy. Also, if i disable the password policy in ADS completely.
Here a bit debugging info:
[88] Session Start
[88] New request Session, context 0xd7d24220, reqType = Modify Password
[88] Fiber started
[88] Creating LDAP context with uri=ldaps://msads:636
[88] Connect to LDAP server: ldaps://msads:636, status = Successful
[88] supportedLDAPVersion: value = 3
[88] supportedLDAPVersion: value = 2
[88] Binding as asa
[88] Performing Simple authentication for asalookup to msads
[88] LDAP Search:
Base DN = [ou=Mitarbeiter,dc=rp]
Filter = [sAMAccountName=testuser]
Scope = [SUBTREE]
[88] User DN = [CN=testuser,OU=Mitarbeiter,DC=rp]
[88] Talking to Active Directory server msads
[88] Reading password policy for testuser, dn:CN=testuser,OU=Mitarbeiter,DC=rp
[88] Read bad password count 0
[88] Fiber exit Tx=809 bytes Rx=10792 bytes, status=-1
[88] Session End
I also tried, to give the user administrator-permissions, but doesn't help.
any further ideas?
regards,
tom
09-15-2009 09:48 AM
ASA version?
related config?
09-15-2009 11:55 PM
fw01# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
fw01 up 5 days 15 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.909d.xxxx, irq 9
1: Ext: Ethernet0/1 : address is 0022.909d.xxxx, irq 9
2: Ext: Ethernet0/2 : address is 0022.909d.xxxx, irq 9
3: Ext: Ethernet0/3 : address is 0022.909d.xxxx, irq 9
4: Ext: Management0/0 : address is 0022.909d.xxxx, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
And here some relevant config-snippets:
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ads LOCAL
default-group-policy smedia-default
password-management
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization smedia
tunnel-group testwizard type remote-access
tunnel-group testwizard general-attributes
authentication-server-group ads
authentication-server-group (Proxy) ads
authorization-server-group ads
default-group-policy testgrouppolicy
password-management
authorization-required
tunnel-group smedia type remote-access
tunnel-group smedia general-attributes
address-pool smedia
authentication-server-group ads LOCAL
default-group-policy smedia
password-management
tunnel-group smedia webvpn-attributes
proxy-auth sdi
group-alias smedia enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
vpn-session-timeout 1440
vpn-tunnel-protocol IPSec webvpn
group-lock value DefaultWEBVPNGroup
webvpn
url-list value smedia-default
filter value smedia-default
http-proxy enable
customization value smedia
activex-relay disable
file-entry disable
file-browsing disable
group-policy smedia internal
group-policy smedia attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol IPSec webvpn
group-lock value smedia
webvpn
customization value smedia
aaa-server ads protocol ldap
aaa-server ads (internal) host msads
server-port 636
ldap-base-dn ou=Mitarbeiter,DC=rp
ldap-group-base-dn OU=Sicherheitsgruppen,DC=rp
ldap-scope subtree
ldap-login-password xxx
ldap-login-dn CN=asa,OU=Extern,OU=Mitarbeiter,DC=rp
ldap-over-ssl enable
server-type microsoft
09-16-2009 01:19 PM
Not sure if it is a bug. I did a quick search but did not find one.
You might open a TAC case with "debug ldap 255" for further investigation.
09-24-2010 08:50 AM
Did you find a resolution to this issue? I'm configuring an ASA
5510 for the first time and experiencing the same problem.
Thank you!
Edit: In my case the problem was related to the AD account I was using for authentication; it was a read only account. The account needs the ability to change passwords.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: