Anyconnect VPN/LDAP policy association

d.delloro — Thu, 16 Aug 2018 10:14:27 GMT

Hello, I'm implementing new VPN collector. I need to associate group-policy through AD group membership.
I have ASAx multiple context appliance.
This is the current configiration:

aaa-server XXXXXX protocol ldap
aaa-server XXXXXX (inside) host X.X.X.X
ldap-base-dn DC=UUUU,DC=UUUUU
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapbind
server-type microsoft
ldap-attribute-map Gruppi_LDAP
aaa-server XXXXXX (inside) host X.X.X.X
ldap-base-dn DC=aolc,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapbind
server-type microsoft
ldap-attribute-map Gruppi_LDAP

ldap attribute-map Gruppi_LDAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXXXXXXXx,DC=XXXXXXXX,DC=XXXXXXXXX" POLICY-VPN

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client

group-policy POLICY-VPN internal
group-policy POLICY-VPN attributes
dns-server value X.X.X.X X.X.X.X
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-filter value VPN-UFFICIO-INFORMATICO
vpn-tunnel-protocol ssl-client

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN
authentication-server-group XXXXXX
default-group-policy NOACCESS

If I try authentication through cli, all is ok.

INFO: Attempting Authentication test to IP address (X.X.X.X) (timeout: 12 seconds)

[-2147483632] Session Start
[-2147483632] New request Session, context 0x00002aab10597928, reqType = Authentication
[-2147483632] Fiber started
[-2147483632] Creating LDAP context with uri=ldap://X.X.X.X:389
[-2147483632] Connect to LDAP server: ldap://X.X.X.X:389, status = Successful
[-2147483632] supportedLDAPVersion: value = 3
[-2147483632] supportedLDAPVersion: value = 2
[-2147483632] Binding as ldapbind
[-2147483632] Performing Simple authentication for ldapbind to X.X.X.X
[-2147483632] LDAP Search:
Base DN = [DC=xxx,DC=xxxxx]
Filter = [sAMAccountName=trial-user]
Scope = [SUBTREE]
[-2147483632] User DN = [CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx]
[-2147483632] Talking to Active Directory server X.X.X.X
[-2147483632] Reading password policy for trial-user, dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx
[-2147483632] Read bad password count 0
[-2147483632] Binding as trial-user
[-2147483632] Performing Simple authentication for trial-user to X.X.X.X
[-2147483632] Processing LDAP response for user trial-user
[-2147483632] Message (trial-user):
[-2147483632] Authentication successful for trial-user to X.X.X.X
[-2147483632] Retrieved User Attributes:
[-2147483632] objectClass: value = top
[-2147483632] objectClass: value = person
[-2147483632] objectClass: value = organizationalPerson
[-2147483632] objectClass: value = user
[-2147483632] cn: value = trial-user
[-2147483632] givenName: value = trial-user
[-2147483632] distinguishedName: value = CN=trial-user,dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=x
[-2147483632] instanceType: value = 4
[-2147483632] whenCreated: value = 20161021151630.0Z
[-2147483632] whenChanged: value = 20180816093108.0Z
[-2147483632] displayName: value = trial-user
[-2147483632] uSNCreated: value = 47800
[-2147483632] memberOf: value = CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXX
[-2147483632] mapped to IETF-Radius-Class: value = POLICY-VPN
[-2147483632] mapped to LDAP-Class: value = POLICY-VPN
[-2147483632] uSNChanged: value = 117759399
[-2147483632] proxyAddresses: value = x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
[-2147483632] name: value = trial-user
[-2147483632] objectGUID: value = =.....GF..t).9%.
[-2147483632] userAccountControl: value = 512
[-2147483632] badPwdCount: value = 0
[-2147483632] codePage: value = 0
[-2147483632] countryCode: value = 0
[-2147483632] homeDirectory: value =
[-2147483632] homeDrive: value = X:
[-2147483632] badPasswordTime: value = 131788855117568122
[-2147483632] lastLogoff: value = 0
[-2147483632] lastLogon: value = 131786432079238875
[-2147483632] logonHours: value = .....................
[-2147483632] pwdLastSet: value = 131788854689281980
[-2147483632] primaryGroupID: value = 513
[-2147483632] objectSid: value = ..............U..9"...|#uF..
[-2147483632] accountExpires: value = 0
[-2147483632] logonCount: value = 83
[-2147483632] sAMAccountName: value = trial-user
[-2147483632] sAMAccountType: value = 805306368
[-2147483632] legacyExchangeDN: value =
[-2147483632] userPrincipalName: value = trial-user@xxxxxxxx.x
[-2147483632] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[-2147483632] dSCorePropagationData: value = 20180620111125.0Z
[-2147483632] dSCorePropagationData: value = 20180406141225.0Z
[-2147483632] dSCorePropagationData: value = 20171121092406.0Z
[-2147483632] dSCorePropagationData: value = 20171121092324.0Z
[-2147483632] dSCorePropagationData: value = 16010714223233.0Z
[-2147483632] lastLogonTimestamp: value = 131786432079238875
[-2147483632] mAPIRecipient: value = TRUE
[-2147483632] protocolSettings: value = OWA..1
[-2147483632] protocolSettings: value = HTTP..1..1............
[-2147483632] msExchPreviousRecipientTypeDetails: value = 1
[-2147483632] msExchRecipientSoftDeletedStatus: value = 0
[-2147483632] msExchShadowMailNickname: value = trial-user
[-2147483632] msDS-ExternalDirectoryObjectId: value = User_72fcde18-d0b7-48cd-b158-dbf3b25cde1d
[-2147483632] msExchShadowProxyAddresses: value = SMTP:trial-user@asst-lecco.it
[-2147483632] msExchUMDtmfMap: value = emailAddress:7288663
[-2147483632] msExchUMDtmfMap: value = lastNameFirstName:7288663
[-2147483632] msExchUMDtmfMap: value = firstNameLastName:7288663
[-2147483632] msExchWhenMailboxCreated: value = 20170119081242.0Z
[-2147483632] Fiber exit Tx=588 bytes Rx=3845 bytes, status=1
[-2147483632] Session End
INFO: Authentication Successful

If I try authentication with Anyconnect the debug output is this:

asaX1/internet(config)# #0x00002aaaef7d2e00 (POST). Request line:/
#0x00002aaaef7d2e00 File to execute: /CSCOSSLC/config-auth
/CSCOSSLC/config-auth
Processing client request
XML successfully parsed
Processing request (init)
INIT-no-cert: Client has not sent a certificate
INIT-no-cert: Resolve tunnel group (DefaultWEBVPNGroup) alias (NULL) Cert or URL mapped NO
INIT-no-cert: Client advertised multi-cert authentication support
[10118226] Created auth info for client X.X.X.X
[10118226] Started timer (3 mins) for auth info for client X.X.X.X
Generating auth request
rcode from handler = 0
Sending response
#0x00002aaaef7d3580 (POST). Request line:/
#0x00002aaaef7d3580 File to execute: /CSCOSSLC/config-auth
/CSCOSSLC/config-auth
Processing client request
XML successfully parsed
Processing request (auth-reply)
auth-reply:[10118226] searching for authinfo
[10118226] Found auth info for client X.X.X.X, update expire timer (3 mins)
Found tunnel group (DefaultWEBVPNGroup) alias NULL
Auth-reply: no AAA handle, opening
Opened AAA handle 1862722
Making AAA request for user trial-user

[28319] Session Start
[28319] New request Session, context 0x00002aab10597928, reqType = Authentication
[28319] Fiber started
[28319] Creating LDAP context with uri=ldap://X.X.X.X:389
[28319] Connect to LDAP server: ldap://X.X.X.X:389, status = Successful
[28319] supportedLDAPVersion: value = 3
[28319] supportedLDAPVersion: value = 2
[28319] Binding as ldapbind
[28319] Performing Simple authentication for ldapbind to X.X.X.X
[28319] LDAP Search:
Base DN = [DC=XXXX,DC=lXXXXX]
Filter = [sAMAccountName=trial-user]
Scope = [SUBTREE]
[28319] User DN = User DN = [CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx]
[28319] Talking to Active Directory server X.X.X.X
[28319] Reading password policy for trial-user, dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx
[28319] Read bad password count 0
[28319] Binding as trial-user
[28319] Performing Simple authentication for trial-user to X.X.X.X
[28319] Processing LDAP response for user trial-user
[28319] Message (trial-user):
[28319] Authentication successful for trial-user to X.X.X.X
[28319] Retrieved User Attributes:
[28319] objectClass: value = top
[28319] objectClass: value = person
[28319] objectClass: value = organizationalPerson
[28319] objectClass: value = user
[28319] cn: value = trial-user
[28319] givenName: value = trial-user
[28319] distinguishedName: value = CN=trial-user,dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=x
[28319] instanceType: value = 4
[28319] whenCreated: value = 20161021151630.0Z
[28319] whenChanged: value = 20180816093113.0Z
[28319] displayName: value = trial-user
[28319] uSNCreated: value = 47512
[28319] memberOf: value = CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXX
[28319] mapped to IETF-Radius-Class: value = POLICY-VPN
[28319] mapped to LDAP-Class: value = POLICY-VPN
[28319] uSNChanged: value = 96045593
[28319] proxyAddresses: value = x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
[28319] name: value = trial-user
[28319] objectGUID: value = =.....GF..t).9%.
[28319] userAccountControl: value = 512
[28319] badPwdCount: value = 0
[28319] codePage: value = 0
[28319] countryCode: value = 0
[28319] homeDirectory: value =
[28319] homeDrive: value = X:
[28319] badPasswordTime: value = 131788855117555151
[28319] lastLogoff: value = 0
[28319] lastLogon: value = 131788857300261619
[28319] logonHours: value = .....................
[28319] pwdLastSet: value = 131788854689281980
[28319] primaryGroupID: value = 513
[28319] objectSid: value = ..............U..9"...|#uF..
[28319] accountExpires: value = 0
[28319] logonCount: value = 62
[28319] sAMAccountName: value = trial-user
[28319] sAMAccountType: value = 805306368
[28319] legacyExchangeDN: value = /o=AOLC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=patt
[28319] userPrincipalName: value = trial-user@xxxxxxxx.x
[28319] objectCategory: value = objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[28319] dSCorePropagationData: value = 20180620111130.0Z
[28319] dSCorePropagationData: value = 20180406141217.0Z
[28319] dSCorePropagationData: value = 20171121092414.0Z
[28319] dSCorePropagationData: value = 20171121092329.0Z
[28319] dSCorePropagationData: value = 16010714223233.0Z
[28319] lastLogonTimestamp: value = 131786432079238875
[28319] mAPIRecipient: value = TRUE
[28319] protocolSettings: value = OWA..1
[28319] protocolSettings: value = HTTP..1..1............
[28319] msExchPreviousRecipientTypeDetails: value = 1
[28319] msExchRecipientSoftDeletedStatus: value = 0
[28319] msExchShadowMailNickname: value = trial-user
[28319] msDS-ExternalDirectoryObjectId: value = User_72fcde18-d0b7-48cd-b158-dbf3b25cde1d
[28319] msExchShadowProxyAddresses: value = SMTP:trial-user@xxxxxxxx.x
[28319] msExchUMDtmfMap: value = emailAddress:7288663
[28319] msExchUMDtmfMap: value = lastNameFirstName:7288663
[28319] msExchUMDtmfMap: value = firstNameLastName:7288663
[28319] msExchWhenMailboxCreated: value = 20170119081242.0Z
[28319] Fiber exit Tx=588 bytes Rx=3844 bytes, status=1
[28319] Session End
AAA request finished
Auth Failed, generating auth request
rcode from handler = 0
Sending response
Closing AAA handle 1862722

Anyone can help me about this authentication issue?

Re: Anyconnect VPN/LDAP policy association

thomas — Thu, 16 Aug 2018 22:54:28 GMT

I suggest verifying your config against the documented steps @

How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

Otherwise troubleshooting is best done with TAC.

Re: Anyconnect VPN/LDAP policy association

d.delloro — Sat, 18 Aug 2018 18:40:52 GMT

Configuration verified, but nothing else...
I tried to follow the link posted for the common part, but nothing different...
The ISE section has not been considered

topic Re: Anyconnect VPN/LDAP policy association in Network Access Control

Anyconnect VPN/LDAP policy association

Re: Anyconnect VPN/LDAP policy association

Re: Anyconnect VPN/LDAP policy association