Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
0
Replies

Problem with SSL VPN authentication using LDAP; fails to authenticate client even when server returns authentication successful

baskervi
Level 1
Level 1

‎09-28-2016 07:17 AM

We have a new ASA-5506x running 9.6(1) that replaced an ASA-5505. The 5505 never gave us problems authenticating SSL VPN users, but I'm stumped with the 5506. The 5506 will always authenticate users for a while after a reboot, and even without a reboot it will eventually start authenticating again. The clock is sync'ed up with the domain's time, and it appears that the server sends back "Authentication successful for testuser to 192.168.30.2." The LDAP debugging was almost the same between it succeeding and failing, but here are the differences after a reboot when it does succeed:

***** ldap-fail.txt
[84] Connect to LDAP server: ldap://192.168.30.2:389, status = Successful
[84] supportedLDAPVersion: value = 3
***** ldap-success.TXT
[84] Connect to LDAP server: ldap://192.168.30.2:389, status = Successful
[84] defaultNamingContext: value = DC=companyname,DC=local
[84] supportedLDAPVersion: value = 3
*****

***** ldap-fail.txt
[84] supportedLDAPVersion: value = 2
[84] Binding as LDAPAuth
***** ldap-success.TXT
[84] supportedLDAPVersion: value = 2
[84] supportedSASLMechanisms: value = GSSAPI
[84] supportedSASLMechanisms: value = GSS-SPNEGO
[84] supportedSASLMechanisms: value = EXTERNAL
[84] supportedSASLMechanisms: value = DIGEST-MD5
[84] Binding as LDAPAuth
*****

Here is LDAP debugging results for when authentication fails:

[84] Session Start
[84] New request Session, context 0x00007f715b8bd530, reqType = Authentication
[84] Fiber started
[84] Creating LDAP context with uri=ldap://192.168.30.2:389
[84] Connect to LDAP server: ldap://192.168.30.2:389, status = Successful
[84] supportedLDAPVersion: value = 3
[84] supportedLDAPVersion: value = 2
[84] Binding as LDAPAuth
[84] Performing Simple authentication for LDAPAuth to 192.168.30.2
[84] LDAP Search:
Base DN = [DC=companyname,DC=local]
Filter = [sAMAccountName=testuser]
Scope = [SUBTREE]
[84] User DN = [CN=Test User,CN=Company Users,DC=companyname,DC=local]
[84] Talking to Active Directory server 192.168.30.2
[84] Reading password policy for testuser, dn:CN=Test User,CN=Managed Service Accounts,DC=companyname,DC=local
[84] Read bad password count 0
[84] Binding as testuser
[84] Performing Simple authentication for testuser to 192.168.30.2
[84] Processing LDAP response for user testuser
[84] Message (testuser):
[84] Authentication successful for testuser to 192.168.30.2
[84] Retrieved User Attributes:
[84] objectClass: value = top
[84] objectClass: value = person
[84] objectClass: value = organizationalPerson
[84] objectClass: value = user
[84] cn: value = Test User
[84] sn: value = User
[84] description: value = IT Support, 405-226-1485
[84] givenName: value = Test
[84] distinguishedName: value = CN=Test User,CN=Company Users,DC=companyname,DC=local
[84] instanceType: value = 4
[84] whenCreated: value = 20120306225939.0Z
[84] whenChanged: value = 20160922202539.0Z
[84] displayName: value = Test User
[84] uSNCreated: value = 8406
[84] memberOf: value = CN=Users,CN=Builtin,DC=companyname,DC=local
[84] uSNChanged: value = 12096005
[84] name: value = Test User
[84] objectGUID: value = .J@].$.J..nU{8.V
[84] userAccountControl: value = 66048
[84] badPwdCount: value = 0
[84] codePage: value = 0
[84] countryCode: value = 0
[84] badPasswordTime: value = 131194878662214912
[84] lastLogoff: value = 0
[84] lastLogon: value = 131194878707300646
[84] pwdLastSet: value = 130021506423097880
[84] primaryGroupID: value = 513
[84] objectSid: value = ..............`.....vm.ai...
[84] adminCount: value = 1
[84] accountExpires: value = 9223372036854775807
[84] logonCount: value = 565
[84] sAMAccountName: value = testuser
[84] sAMAccountType: value = 805306368
[84] userPrincipalName: value = testuser@companyname.local
[84] lockoutTime: value = 0
[84] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=companyname,DC=local
[84] mSMQSignCertificates: value = ........^.....,...!.J......K..f2........0...0............ZU0...*.H.......0x1.0..
[84] mSMQDigests: value = ....^.....,...!.
[84] dSCorePropagationData: value = 20120529163918.0Z
[84] dSCorePropagationData: value = 16010101000000.0Z
[84] lastLogonTimestamp: value = 131190495394957680
[84] Fiber exit Tx=622 bytes Rx=3959 bytes, status=1
[84] Session End

Any suggestions would be greatly appreciated.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents