Hi Jennifer,

I have now changed my config accordingly.

Sorry but I do not have access to the LDAP server config. It is a Windows machine on Server 2003 and it is a Domain Controller.

I used my username asia\ryan or ryan@asia or ryan@asia.pilkington.net and ryan only but still the same results.

Thank you and Best Regards,

Ryan

hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server ldap ASIADC
server SPHASIADC001.asia.pilkington.net
!
aaa authentication login ciscocp_vpn_xauth_ml_1 group ASIADC
aaa authorization network NXP_VPN_Cisco local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
!
!
!
!
!
ip domain name asia.pilkington.net
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-765105936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-765105936
revocation-check none
rsakeypair TP-self-signed-765105936
!
!
crypto pki certificate chain TP-self-signed-765105936
certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37363531 30353933 36301E17 0D313230 36323630 39323033
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 35313035
  39333630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C1B7E661 4893D83A EFE44B76 92BAA71A 6375C854 88D49791 4533E51A 551D8EF7
  F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1B618390
  EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 74270D31 97270547
  4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680142E FF686472 569BCCF1 552B1200 D35060DB 5B660F30 1D060355
  1D0E0416 04142EFF 68647256 9BCCF155 2B1200D3 5060DB5B 660F300D 06092A86
  4886F70D 01010505 00038181 00558F64 05207D35 AA4BD086 4579ACF6 BCF6A851
  1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
  0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
  74D265DD 06251C7D 6EF39CE9 3D692763 FE03F795 AE865885 CFF660A5 4C1FF603
  3AF09B1E 243EA5ED 7E4C30B9 3A
        quit
license udi pid CISCO1941/K9 sn xxxxxxxxxxxx
hw-module ism 0
!
!
!
username admin privilege 15 secret 5 $1$rVI4$WIP5x6at0b1Vot5LbdlGN/
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group1
key xxxxxxxxxxxxxxxx
dns 10.127.8.20
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_Group1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list NXP_VPN_Cisco
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
ip address 10.127.15.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.127.31.26 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.127.20.129 10.127.20.254
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.0.0.0 255.0.0.0 10.127.31.25
ip route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
!
!
!
!
ldap attribute-map ASIA-username-map
map type sAMAccountName username format dn-to-string
!
ldap server SPHASIADC001.asia.pilkington.net
ipv4 10.127.8.20
attribute map ASIA-username-map
transport port 3268
bind authenticate root-dn CN=NDB\, S1234567,OU=Service Accounts,OU=Admin,OU=Acc
ounts,DC=asia,DC=pilkington,DC=net password password1
base-dn DC=asia,DC=pilkington,DC=net
authentication bind-first
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
end

Router#

You should use just ryan, instead of

ryan@asia

or

ryan@asia.pilkington.net

Assuming that you normally login to your PC using "ryan" as the username.

Are you still getting the invalid credential in the debugs?

Can you pls share the output of "gpresult /r" from your DOS prompt.

Hi Jennifer,

I am still getting invalid credentials on the debugs.

Here is the output of gpresult /r:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ryan>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 31/8/2012 at 2:15:50 PM

RSOP data for ASIA\ryan on WPHCNU1472B5M : Logging Mode
--------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7600
Site Name:                   PHNXP
Roaming Profile:             N/A
Local Profile:               C:\Users\ryan
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=WPHCNU1472B5M,OU=Computers,OU=Office Workers,OU=Accounts,DC=asia,DC=pilki
ngton,DC=net
    Last time Group Policy was applied: 31/8/2012 at 1:36:10 PM
    Group Policy was applied from:      sphasiadc001.asia.pilkington.net
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ASIA
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        dom_ASIA DNS Suffixes v1.0
        dom_all WiFi v1.0
        dom_all_Windows_v1.2
        dom_all_Windows Policy Global v1.4
        dom_ASIA Client Local Domain Security Principles v1.1
        dom_all Lync 2010 v1.0
        Default Domain Policy
        dom_all_InternetExplorer_v1.13
        dom_ASIA Local Domain Security Principles v1.0

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        dom_all_Legacy_Windows_v1.2
            Filtering:  Denied (WMI Filter)
            WMI Filter: Check for XP and Below

        ou_OfficeWorker_v1.2
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        dom_all Office v1.4
            Filtering:  Disabled (GPO)

        dom_all_XP_Logoff_Script_v1.0
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        WPHCNU1472B5M$
        Domain Computers
        System Mandatory Level

USER SETTINGS
--------------
    CN=David\, Ryan,OU=Users,OU=Admin,OU=Accounts,DC=asia,DC=pilkington,DC=net
    Last time Group Policy was applied: 31/8/2012 at 1:21:08 PM
    Group Policy was applied from:      sphasiadc001.asia.pilkington.net
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ASIA
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        grp_GPO_Exceptions_NANOX v2
        dom_all_IS_Wallpaper
        dom_all Office v1.4
        dom_all_Windows_v1.2
        dom_all_Windows Policy Global v1.4
        dom_ASIA Client Local Domain Security Principles v1.1
        dom_all Lync 2010 v1.0
        Default Domain Policy
        dom_all_InternetExplorer_v1.13
        dom_ASIA Local Domain Security Principles v1.0

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        dom_all_Legacy_Windows_v1.2
            Filtering:  Denied (WMI Filter)
            WMI Filter: Check for XP and Below

        dom_ASIA DNS Suffixes v1.0
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        dom_all_XP_Logoff_Script_v1.0
            Filtering:  Denied (Security)

        dom_all WiFi v1.0
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Network Configuration Operators
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        CMS Group - Internet Access
        GGbGlobal Client Refresh MOD
        GServer SupportPH
        G_GPOs_Pilot_Nanox
        GclientAdminsPH
        GAccount Editors
        G_BMC_TerminalServices
        G_GPOs_Exceptions_Nanox
        UIntranet_Asia_Users
        GClientAdmins
        UPhonebookTest
        UAltiris Report Users
        GClientAdmins
        GClientAdmins
        GClientAdmins
        GClientAdmins
        GIS_Wallpaper
        @GlobalWintelRebootCoordinators
        @All Global IS
        UAltiris Client Software Distributors
        UGlobalPrintOps
        U_TerminalServiceUser
        UGbGlobal Client Refresh MOD
        UAltirisRemoteAccess
        CMS Group - Internet Access
        GAccount Editors
        ryan
        GClientAdmins
        GClientAdmins
        GClientAdmins
        LClient Admins
        LAccount Editors
        High Mandatory Level

C:\Users\ryan>

Thank you and Best Regards,

Ryan

Is your account still working? Can you log out from your PC and log back in? assuming that you are in the office network so it can authenticate towards the ldap server itself instead of using cached credential.

Can you ask someone else to try and see if they can login?

Hi Jennifer,

I found the problem.

I removed authentication bind-first and it is now working.

I will try with other users as well.

Thank you for your help.

Best Regards,

Ryan

Great findings, and thanks for the update.

Good to hear all is working well now.