09-15-2009 06:30 AM
Hello,
i've a Asa 5510 configured with webvpn and Authentication over an MS-ADS-Server Windows 2003. Authentication is working perfectly, but password-management doesn't works correctly.
If the user password expires in 14 days, he gets an Password-change dialog. He can click cancel and gets an "Login failed", although the password isn't expired. If he enters a new password, he gets always an error saying, the pw doesn't match the password policy. Also, if i disable the password policy in ADS completely.
Here a bit debugging info:
[88] Session Start
[88] New request Session, context 0xd7d24220, reqType = Modify Password
[88] Fiber started
[88] Creating LDAP context with uri=ldaps://msads:636
[88] Connect to LDAP server: ldaps://msads:636, status = Successful
[88] supportedLDAPVersion: value = 3
[88] supportedLDAPVersion: value = 2
[88] Binding as asa
[88] Performing Simple authentication for asalookup to msads
[88] LDAP Search:
Base DN = [ou=Mitarbeiter,dc=rp]
Filter = [sAMAccountName=testuser]
Scope = [SUBTREE]
[88] User DN = [CN=testuser,OU=Mitarbeiter,DC=rp]
[88] Talking to Active Directory server msads
[88] Reading password policy for testuser, dn:CN=testuser,OU=Mitarbeiter,DC=rp
[88] Read bad password count 0
[88] Fiber exit Tx=809 bytes Rx=10792 bytes, status=-1
[88] Session End
I also tried, to give the user administrator-permissions, but doesn't help.
any further ideas?
regards,
tom
09-15-2009 09:48 AM
ASA version?
related config?
09-15-2009 11:55 PM
fw01# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
fw01 up 5 days 15 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.909d.xxxx, irq 9
1: Ext: Ethernet0/1 : address is 0022.909d.xxxx, irq 9
2: Ext: Ethernet0/2 : address is 0022.909d.xxxx, irq 9
3: Ext: Ethernet0/3 : address is 0022.909d.xxxx, irq 9
4: Ext: Management0/0 : address is 0022.909d.xxxx, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
And here some relevant config-snippets:
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ads LOCAL
default-group-policy smedia-default
password-management
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization smedia
tunnel-group testwizard type remote-access
tunnel-group testwizard general-attributes
authentication-server-group ads
authentication-server-group (Proxy) ads
authorization-server-group ads
default-group-policy testgrouppolicy
password-management
authorization-required
tunnel-group smedia type remote-access
tunnel-group smedia general-attributes
address-pool smedia
authentication-server-group ads LOCAL
default-group-policy smedia
password-management
tunnel-group smedia webvpn-attributes
proxy-auth sdi
group-alias smedia enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
vpn-session-timeout 1440
vpn-tunnel-protocol IPSec webvpn
group-lock value DefaultWEBVPNGroup
webvpn
url-list value smedia-default
filter value smedia-default
http-proxy enable
customization value smedia
activex-relay disable
file-entry disable
file-browsing disable
group-policy smedia internal
group-policy smedia attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol IPSec webvpn
group-lock value smedia
webvpn
customization value smedia
aaa-server ads protocol ldap
aaa-server ads (internal) host msads
server-port 636
ldap-base-dn ou=Mitarbeiter,DC=rp
ldap-group-base-dn OU=Sicherheitsgruppen,DC=rp
ldap-scope subtree
ldap-login-password xxx
ldap-login-dn CN=asa,OU=Extern,OU=Mitarbeiter,DC=rp
ldap-over-ssl enable
server-type microsoft
09-16-2009 01:19 PM
Not sure if it is a bug. I did a quick search but did not find one.
You might open a TAC case with "debug ldap 255" for further investigation.
09-24-2010 08:50 AM
Did you find a resolution to this issue? I'm configuring an ASA
5510 for the first time and experiencing the same problem.
Thank you!
Edit: In my case the problem was related to the AD account I was using for authentication; it was a read only account. The account needs the ability to change passwords.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide