Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

WebVPN on LDAP

I have successfully configure a Server Group for LDAP authentication, tested and working.

When I change the WebVPN to authenticate to LDAP, it still tries to search in the Local Database.

Error: AAA user authentication rejected : reason = Invalid password : local database : user = testAD

Here's the config

aaa-server LDAP_SVR protocol ldap

aaa-server LDAP_SVR (Inside) host 192.168.1.1

server-port 389

ldap-base-dn dc=domainname, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password password

ldap-login-dn CN=admin,CN=Users,DC=domainname,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 3 regex "Intel Mac OS X"

svc enable

tunnel-group-preference group-url

group-policy RemotePolicy attributes

dns-server value 192.168.1.1 192.168.1.2

vpn-filter value NAT0

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Tunnel_Networks

default-domain value domainname.local

address-pools value SSLVPNIPPool

webvpn

  url-list none

  svc ask enable default webvpn

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPNIPPool

authentication-server-group LDAP_SVR

default-group-policy RemotePolicy

Thnaks for your help!

8 REPLIES

WebVPN on LDAP

Hello Jean,

The configuration looks good, can you provide us a debug webvpn 255 when you try to anyconnect to the ASA.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WebVPN on LDAP

WARNING: CSD is disabled by AnyConnect Essentials license.
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2447]
WebVPN: calling AAA with ewsContext (-1351860128) and nh (-1351860616)!
webvpn_add_auth_handle: auth_handle = 1189
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5320]
WebVPN: AAA status = (REJECT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1611]
WebVPN: user: (testJFG) rejected.
webvpn_remove_auth_handle: auth_handle = 1189
webvpn_free_auth_struct: net_handle = AF6C3E78
webvpn_allocate_auth_struct: net_handle = AF6C3E78
webvpn_free_auth_struct: net_handle = AF6C3E78
WARNING: CSD is disabled by AnyConnect Essentials license.

WebVPN on LDAP

Hello Jean,

As I can see on the debug,

You are getting mapped to the default webvpn group instead of the RemotePolicy group.

webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup

Lets do the following to make sure we are hitting the right tunnel group:

group-policy RemotePolicy attributes

webvpn

   no svc ask enable default webvpn

    exit

exit

webvpn

tunnel-group-list enable

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPNIPPool

authentication-server-group LDAP_SVR

default-group-policy RemotePolicy

Tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN

Then try to connect one more time, you should be promt to select the tunnel group.

With this we will make sure we select the right tunnel group.

If this does not work, please send us the debug with this new configuration in place.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WebVPN on LDAP

I did kind of that, I changed all my GRoupPolicies to LDAP, and I got a new error.

So I got another question now:

- Now that LDAP seems to work, I get error "Clientless (browser) SSL VPN access is not allowed"

I have created a AD group "AccessVPN" and add my test user in it, but it does'nt seem to work.

What Am I missing?

aaa-server LDAP_SVR protocol ldap

aaa-server LDAP_SVR (Inside) host 192.168.1.1

server-port 389

ldap-base-dn dc=domainname, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password password

ldap-login-dn CN=admin,CN=Users,DC=domainname,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=AccessVPN,OU=Groupes,OU=MyOU,DC=DomainName,DC=Local PolicyGroup1

WebVPN on LDAP

Any ideas?

New Member

WebVPN on LDAP

Late answer, but it’s because Anyconnect essentials is enabled. I guess debug message: “WARNING: CSD is disabled by AnyConnect Essentials license.” tries to inform this.

ASA cli:

- conf t

- webvpn

- no anyconnect-essentials

or ASDM:

- Configuration

- Remote Access VPN

- Network (client) Access

- Advanced

- Anyconnect Essentials

- Take away Enable anyconnect essentials.

Note that this will effect your licenses and probably handful of users can connect after this because essentials license is not valid after that.

Cisco Employee

Re: WebVPN on LDAP

So you map your AD group VPNaccess to a group-policy PolicyGroup1.

Do you have a group-policy by that name? Does it have webvpn in the allowed protocols?

If all looks correct, get

Debug ldap 255

Debug aaa authentication

Debug aaa common

Hth

Herbert

Sent from Cisco Technical Support iPad App

New Member

Hi Julio,By following this

Hi Julio,

By following this post I fixed the problem, - by using drop down list :

webvpn

tunnel-group-list enable

I'm able to login... but is there a way to change this default setting, without showing a group-list for the user?.

Without "tunnel-group-list enable" my debugs shows the same:

webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup

 

 

4479
Views
0
Helpful
8
Replies
CreatePlease to create content