Solved: Re: vpn with AD authentication fails error 691

cisco · ‎05-25-2010

Hello,

I configured my asa 5510 to use AD for vpn user authentication. Although i'm using l2tp ipsec I used following document as a guideline https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml#prereq

. When testing from within ASDM the connection to AD is succesfull.

. When trying to connect with a microsoft vpn client I get error 691: The remote connection was denied because the username and password combination you provided is not recognized or the selected authentication protocol is not permitted on the remote access server. On the vpn client I have only MSCHAPv2 enabled and I require encryption.

. When running debug ldap 255 i get the following output

[26] Session Start
[26] New request Session, context 0xd8760198, reqType = Authentication
[26] Fiber started
[26] Failed: The username or password is blank
[26] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[26] Session End

Before configuring my VPN conncetion profile to use AD i was able to connect using LOCAL users. There was no network access when connected to the vpn.

Here's the show conf output

hostname host1
enable password r2.d52YOdvbTM6/l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 100.100.100.178 255.255.255.240 standby 100.100.100.179
!
interface Ethernet0/1
nameif Inside_1
security-level 60
ip address 20.20.20.2 255.255.255.0 standby 20.20.20.3
!
interface Ethernet0/2
nameif Inside_2
security-level 90
ip address 30.30.30.2 255.255.255.0 standby 30.30.30.3
!
interface Ethernet0/3
nameif DMZ
security-level 30
ip address 10.10.3.2 255.255.255.0 standby 10.10.3.3
!
interface Management0/0
description LAN Failover Interface
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list DefaultRAGroup_splitTunnelAcl standard permit 20.20.20.0 255.255.255.0
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.0.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside_1 1500
mtu Inside_2 1500
mtu DMZ 1500
ip local pool clientVPNpool 10.0.5.10-10.0.5.150 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failoverlink Management0/0
failover interface ip failoverlink 90.0.0.2 255.255.255.0 standby 90.0.0.3
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside_1) 0 access-list nonat
nat (Inside_1) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 100.100.100.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (Inside_1) host 20.20.20.24
ldap-base-dn OU=ouname,DC=domainname,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=cisco,OU=Service Accounts,OU=ouname,DC=domainname,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
http server enable
http 20.20.20.0 255.255.255.0 Inside_1
http 30.30.30.0 255.255.255.0 Inside_2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA mode transport
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 20.20.20.0 255.255.255.0 Inside_1
ssh 30.30.30.0 255.255.255.0 Inside_2
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 20.20.20.24 30.30.30.35
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domainname.local
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
username VPNtest2 password pXVGjB7BA7pQ4yNcDbuXkw== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group ActiveDirectory
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:756efffc44ac8f81f4f377567174c15f
: end

Marcin Latosiewicz · ‎05-25-2010

hmmm what about setting PPP only on both ASA and client?

It's of course one of the possibilities.

View solution in original post

Marcin Latosiewicz · ‎05-25-2010

Did you enable dial-in in AD for this user?

Can you provide me

---------

debug aaa common 255

debug ldap 255
---------

when the "test" command is being executed and when you try to auth with RA VPN?

Marcin

cisco · ‎05-25-2010

Yes i enabled allow dial-in for the user in AD.

I didn't configure the LDAP IETF RADIUS attribute 25 (Class), because i thought this wasn't necessary for authentication only?

Thanks

RA VPN

host1(config)# debug aaa common
debug aaa common enabled at level 1
host1(config)# ERROR: Invalid password
ERROR: Invalid password

host1(config)# debug ldap 255
[102] Session Start
[102] New request Session, context 0xd8760198, reqType = Authentication
[102] Fiber started
[102] Failed: The username or password is blank
[102] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[102] Session End
ERROR: Invalid password

-----------------------------------------

Test in ASDM

testing authorization

host1(config)# debug aaa common 255
debug aaa common enabled at level 255
host1(config)# callback_aaa_task: status = 1, msg =
callback_aaa_task: status = 1, msg =

testing authentication

host1(config)# debug ldap 255
debug ldap enabled at level 255
host1(config)#
[64] Session Start
[64] New request Session, context 0xd8760198, reqType = Other
[64] Fiber started
[64] Creating LDAP context with uri=ldap://20.20.20.24:389
[64] Connect to LDAP server: ldap://20.20.20.24:389, status = Successful
[64] supportedLDAPVersion: value = 3
[64] supportedLDAPVersion: value = 2
[64] Binding as cisco
[64] Performing Simple authentication for cisco to 20.20.20.24
[64] LDAP Search:
        Base DN = [OU=ouname,DC=domainname,DC=local]
        Filter = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[64] User DN = [CN=cisco,OU=Service Accounts,OU=ouname,DC=domainname,DC=local]
[64] LDAP Search:
        Base DN = [OU=ouname,DC=domainname,DC=local]
        Filter = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[64] Retrieved User Attributes:
[64]    objectClass: value = top
[64]    objectClass: value = person
[64]    objectClass: value = organizationalPerson
[64]    objectClass: value = user
[64]    cn: value = cisco
[64]    givenName: value = cisco
[64]    distinguishedName: value = CN=cisco,OU=Service Accounts,OU=ouname,DC=domainname,                                                                                        DC=local
[64]    instanceType: value = 4
[64]    whenCreated: value = 20100525101439.0Z
[64]    whenChanged: value = 20100525120443.0Z
[64]    displayName: value = cisco
[64]    uSNCreated: value = 11819757
[64]    memberOf: value = CN=Domain Admins,CN=Users,DC=domainname,DC=local
[64]    uSNChanged: value = 11821224
[64]    name: value = cisco
[64]    objectGUID: value = .S.6..EH.z..W...
[64]    userAccountControl: value = 66048
[64]    badPwdCount: value = 0
[64]    codePage: value = 0
[64]    countryCode: value = 0
[64]    badPasswordTime: value = 0
[64]    lastLogoff: value = 0
[64]    lastLogon: value = 0
[64]    pwdLastSet: value = 129192560797405055
[64]    primaryGroupID: value = 513
[64]    userParameters: value = m:                    d.
[64]    objectSid: value = .............lv...h..O.Z....
[64]    adminCount: value = 1
[64]    accountExpires: value = 9223372036854775807
[64]    logonCount: value = 0
[64]    sAMAccountName: value = cisco
[64]    sAMAccountType: value = 805306368
[64]    userPrincipalName: value = cisco@domainname.local
[64]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=domainname,DC=                                                                                        local
[64]    msNPAllowDialin: value = TRUE
[64]    dSCorePropagationData: value = 16010101000000.0Z
[64]    lastLogonTimestamp: value = 129192573532842908
[64] Fiber exit Tx=373 bytes Rx=3510 bytes, status=1
[64] Session End

[65] Session Start
[65] New request Session, context 0xd8760198, reqType = Authentication
[65] Fiber started
[65] Creating LDAP context with uri=ldap://20.20.20.24:389
[65] Connect to LDAP server: ldap://20.20.20.24:389, status = Successful
[65] supportedLDAPVersion: value = 3
[65] supportedLDAPVersion: value = 2
[65] Binding as cisco
[65] Performing Simple authentication for cisco to 20.20.20.24
[65] LDAP Search:
        Base DN = [OU=ouname,DC=domainname,DC=local]
        Filter = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[65] User DN = [CN=cisco,OU=Service Accounts,OU=ouname,DC=domainname,DC=local]
[65] Talking to Active Directory server 20.20.20.24
[65] Reading password policy for cisco, dn:CN=cisco,OU=Service Accounts,OU=ouname,                                                                                        DC=domainname,DC=local
[65] Read bad password count 0
[65] Binding as cisco
[65] Performing Simple authentication for cisco to 20.20.20.24
[65] Processing LDAP response for user cisco
[65] Message (cisco):
[65] Authentication successful for cisco to 20.20.20.24
[65] Retrieved User Attributes:
[65]    objectClass: value = top
[65]    objectClass: value = person
[65]    objectClass: value = organizationalPerson
[65]    objectClass: value = user
[65]    cn: value = cisco
[65]    givenName: value = cisco
[65]    distinguishedName: value = CN=cisco,OU=Service Accounts,OU=ouname,DC=domainname,                                                                                        DC=local
[65]    instanceType: value = 4
[65]    whenCreated: value = 20100525101439.0Z
[65]    whenChanged: value = 20100525120443.0Z
[65]    displayName: value = cisco
[65]    uSNCreated: value = 11819757
[65]    memberOf: value = CN=Domain Admins,CN=Users,DC=domainname,DC=local
[65]    uSNChanged: value = 11821224
[65]    name: value = cisco
[65]    objectGUID: value = .S.6..EH.z..W...
[65]    userAccountControl: value = 66048
[65]    badPwdCount: value = 0
[65]    codePage: value = 0
[65]    countryCode: value = 0
[65]    badPasswordTime: value = 0
[65]    lastLogoff: value = 0
[65]    lastLogon: value = 0
[65]    pwdLastSet: value = 129192560797405055
[65]    primaryGroupID: value = 513
[65]    userParameters: value = m:                    d.
[65]    objectSid: value = .............lv...h..O.Z....
[65]    adminCount: value = 1
[65]    accountExpires: value = 9223372036854775807
[65]    logonCount: value = 0
[65]    sAMAccountName: value = cisco
[65]    sAMAccountType: value = 805306368
[65]    userPrincipalName: value = cisco@domainname.local
[65]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=domainname,DC=                                                                                        local
[65]    msNPAllowDialin: value = TRUE
[65]    dSCorePropagationData: value = 16010101000000.0Z
[65]    lastLogonTimestamp: value = 129192573532842908
[65] Fiber exit Tx=583 bytes Rx=2363 bytes, status=1
[65] Session End

Marcin Latosiewicz · ‎05-25-2010

Can you please PPP as authentication mechanism?

LDAP will require cleartext pass delievered to it and I beleive ms-chap is not willing ;-)

cisco · ‎05-25-2010

did you mean PAP on the vpn client? Or do I have to change something on the asa? On the client I was using MSCHAPv2 and i now tried with PAP and MSCHAP as well. Still the same. Including the domain name doesn't change anything either...

on the asa I configured the ppp attributes with MSCHAPv2 and no MSCHAP authentication

cisco · ‎05-25-2010

i enabled pap on the asa and used pap + mschapv2 on the client. Tried with and without the "include windows domain" check box

new settings on asa

tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2

Marcin Latosiewicz · ‎05-25-2010

hmmm what about setting PPP only on both ASA and client?

It's of course one of the possibilities.

cisco · ‎05-25-2010

i changed the base DN to the root of my domain and after changed to CHAP only on asa and client and it's connected now.

1 more question though, do you have an idea why I can't access my inside_1 network?

I created 2 access lists for the nonat and splittunnel

access-list DefaultRAGroup_splitTunnelAcl standard permit 20.20.20.0 255.255.255.0
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.0.5.0 255.255.255.0

and

global (Outside) 1 interface
nat (Inside_1) 0 access-list nonat
nat (Inside_1) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 100.100.100.177 1

but I can't ping, RDP or anything from my VPN network to the internal network...

thanks

martin

cisco · ‎05-25-2010

forget what i said in last post. I m migrating firewalls and of course didn't change the default gateways on the inside machines yet