topic LDAP Authentication of VPN without IAS/NPS in Network Access Control

LDAP Authentication of VPN without IAS/NPS

dflick — Mon, 11 Mar 2019 01:20:18 GMT

Here is a snippet of my proposed config for LDAP

aaa group server ldap AD

server TESTSERVER

ldap attribute-map ADTEST

ldap server TESTSERVER

ipv4 192.168.0.20

bind authenticate root-dn testuser password testpw

base-dn DC=testdomain,DC=local

The username and password exist and can auth to AD directly. I get the logs below when I try to hit from VPN. Does anyone have this working that can give me some pointers?

000293: Aug 20 10:37:42: AAA/BIND(00000E04): Bind i/f

000294: Aug 20 10:37:42: AAA/AUTHEN/LOGIN (00000E04): Pick method list 'AD'

000295: Aug 20 10:37:42: %AAA-3-BADSERVERTYPEERROR: Cannot process authenticatio

n server type *invalid_group_handle*

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M1, REL

EASE SOFTWARE (fc1)

System image file is "flash:c1900-universalk9-mz.SPA.151-4.M1.bin"

Gulf-Inet#

000296: Aug 20 10:48:00: LDAP: Received socket event

000297: Aug 20 10:48:00: LDAP: Checking the conn status

000298: Aug 20 10:48:00: LDAP: Socket read event socket=0

000299: Aug 20 10:48:00: LDAP: Found socket ctx

000300: Aug 20 10:48:00: LDAP: Receive event: read=0, errno=11 (Resource tempora

rily unavailable)

000301: Aug 20 10:48:00: LDAP: Connection closed remotely !!

000302: Aug 20 10:48:00: LDAP: ldap tcp transport closing on socket 0

000303: Aug 20 10:48:00: LDAP: Protocol received transport down notification

000304: Aug 20 10:48:00: LDAP: Server-GULFBASCO connection going down !!!

000305: Aug 20 10:48:00: LDAP: Clearing all ldap transactions

000306: Aug 20 10:48:00: LDAP: Connection state: UP => DOWN

000307: Aug 20 10:48:00: LDAP: Connection state: DOWN => DOWN

000308: Aug 20 10:48:00: LDAP: Connection timer started for 30 seconds for GULFB

ASCO

000309: Aug 20 10:48:00: LDAP: socket 0 - CONN_UP->CONN_CLOSE

000310: Aug 20 10:48:00: LDAP: Received socket event

000311: Aug 20 10:48:30: LDAP: Received timer event

000312: Aug 20 10:48:30: LDAP: Connection timeout occured. Retrying

000313: Aug 20 10:48:30: LDAP: Opening ldap connection ( 192.168.254.23, 389 )

000314: Aug 20 10:48:30: LDAP: socket 0 - connecting to 192.168.254.23 (389)

000315: Aug 20 10:48:30: LDAP: socket 0 - connection in progress

000316: Aug 20 10:48:30: LDAP: socket 0 - local address 192.168.254.254 (63758)

000317: Aug 20 10:48:30: LDAP: Connection on socket 0

000318: Aug 20 10:48:30: LDAP: Connection to LDAP server (GULFBASCO, 192.168.254

.23) attempted

000319: Aug 20 10:48:30: LDAP: Connection state: DOWN => CONNECTING

000320: Aug 20 10:48:30: LDAP: Received socket event

000321: Aug 20 10:48:30: LDAP: Checking the conn status

000322: Aug 20 10:48:30: LDAP: Socket read event socket=0

000323: Aug 20 10:48:30: LDAP: Found socket ctx

000324: Aug 20 10:48:30: LDAP: Making socket conn up

000325: Aug 20 10:48:30: LDAP: Notify the protocol code

000326: Aug 20 10:48:30: LDAP: Protocol received transport up notication

000327: Aug 20 10:48:30: LDAP: Connection state: CONNECTING => UP

000328: Aug 20 10:48:30: LDAP: Set socket=0 to non blocking mode

000329: Aug 20 10:48:30: LDAP: Performing Root-Dn bind operation

000330: Aug 20 10:48:30: LDAP: Root Bind on ciscoauth initiated.

000331: Aug 20 10:48:30: LDAP: Received socket event

000332: Aug 20 10:48:31: LDAP: Received socket event

000333: Aug 20 10:48:31: LDAP: Checking the conn status

000334: Aug 20 10:48:31: LDAP: Socket read event socket=0

000335: Aug 20 10:48:31: LDAP: Found socket ctx

000336: Aug 20 10:48:31: LDAP: Receive event: read=1, errno=11 (Resource tempora

rily unavailable)

000337: Aug 20 10:48:31: LDAP: Passing the client ctx=317267D0

000338: Aug 20 10:48:31: LDAP: LDAP Messages to be processed: 1

000339: Aug 20 10:48:31: LDAP: LDAP Message type: 97

000340: Aug 20 10:48:31: LDAP: Got ldap transaction context from reqid 2

000341: Aug 20 10:48:31: LDAP: Received Bind Response

000342: Aug 20 10:48:31: LDAP: Received Root Bind Response

000343: Aug 20 10:48:31: LDAP: Failed to do Root Bind on ciscoauth. Bind anonymo

000344: Aug 20 10:48:31: LDAP: Transaction context removed from list [ldap reqid

=2]

000345: Aug 20 10:48:31: LDAP: Finished processing ldap msg, Result:Success

000346: Aug 20 10:48:31: LDAP: Received socket event

Connection to host lost.

LDAP Authentication of VPN without IAS/NPS

Minhua Zhu — Sat, 20 Aug 2011 18:18:07 GMT

The bind username has to be specified as the full LDAP object path per this http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_ldap.html#wp1069114. Use dsquery on the username that you want to use for the intial lookup bind to get the full LDAP object description and set that instead:

dsquery user -samid user_name

Also, remember to delegate permissions to this account to allow them to read AD.

LDAP Authentication of VPN without IAS/NPS

dflick — Sat, 20 Aug 2011 18:24:23 GMT

I used everything behind the DC like this:

"CN=cisco Systems,OU=ServiceAccounts,OU=Accounts,DC=gulfbasco,DC=local"

So I used:
base-dn "DC=gulfbasco,DC=local"

LDAP Authentication of VPN without IAS/NPS

Minhua Zhu — Sat, 20 Aug 2011 18:30:03 GMT

I'm referring to this line:

bind authenticate root-dn testuser password testpw

it should be:

bind authenticate root-dn "cn=testuser,ou=serviceaccounts,ou=accounts,dc=gulfbasco,dc=local" password blah

the base-dn config line refers to the search base DN, not the bind base DN. Your debug output indicates that it is failing to bind to LDAP, i.e. authenticate with the testuser account specified in the bind configuration.

LDAP Authentication of VPN without IAS/NPS

dflick — Sat, 20 Aug 2011 18:37:50 GMT

Still erroring. I tried with CN=full user name and CN=shortname. Which should I be using and are there any other debugs that might help me figure out what is wrong?

000874: Aug 20 13:35:33: LDAP: Filter: (objectclass=*)

000875: Aug 20 13:35:33: %SYS-5-CONFIG_I: Configured from console by admin on vt

y0 (192.168.254.23)

000876: Aug 20 13:35:33: LDAP: Received message event

000877: Aug 20 13:35:33: LDAP: Connection to LDAP server (GULFBASCO) already UP

000878: Aug 20 13:35:45: AAA/BIND(00000E08): Bind i/f

000879: Aug 20 13:35:45: AAA/AUTHEN/LOGIN (00000E08): Pick method list 'AD'

000880: Aug 20 13:36:07: AAA/BIND(00000E09): Bind i/f

000881: Aug 20 13:36:07: AAA/AUTHEN/LOGIN (00000E09): Pick method list 'AD'

000882: Aug 20 13:36:07: %AAA-3-BADSERVERTYPEERROR: Cannot process authenticatio

n server type *invalid_group_handle*

LDAP Authentication of VPN without IAS/NPS

dp25269 — Fri, 14 Oct 2011 21:49:45 GMT

Did you ever find a resolution for this issue? I'm having similar problems and getting the same error message.