cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
7913
Views
10
Helpful
17
Replies
Joe Lourenco
Beginner

Cloud Web Security (formerly Scansafe) ldap resultCode: 49 Invalid Credentials. Default usergroup applied after user's sAMAccount authentication fails after BINDING

I have a serious problem  with LDAP, for the purpose of Scansafe, on a 3945 ISR with IOS 15 (C3900-UNIVERSALK9-M). LDAP  binding to the LDAP Server (Active Directory on Win Srv 2008 R2) when authenticating any domain user, except  for the default Scansafe Bind Root-DN user, is failing.

 

The testing of any user's sAMAccount name, is failing, and it defaults to the default Scansafe usergroup.

 

# test aaa group <ldap group name> <userid> <pwd> new-code

User Rejected

 

# sh ldap server all   (the output is correct when checking to see if any LDAP server exists)

 

My config is exactly as Scansafe's configuration guide:

 

http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf

 

I am using NTLM ACTIVE AUTHENTICATION and I have the LDAP  attribute map for mapping the sAMAccount name to the user's username.

 

In that PDF, on the bottom of page 12, there is this paragraph that describes exactly what is happening to my Scansafe.

 

"Configuring a Default User Group

You can configure a default user group to assign to each client when the ISR cannot determine the

credentials for a user. Define a default user group using the following CLI command:

[no] user-group default <name>

 

The ISR uses the default user group name here to identify all clients connected to a specific interface on  the ISR when it cannot determine the user’s credentials. You might want to define a default user group  so that all traffic redirected to the ScanSafe proxy servers are assigned a user group so particular  ScanSafe policies can be applied appropriately. For example, you might want to create a default user       group for guest users on the wireless network.Only one user group can be defined per interface."

 

Now,  what does this problem affect? I cannot enforce the  application of  filters from the Scansafe site to specific user groups.  Users can use  the internet under the default usergroup. Everyone  defaults to the  default filter. I have a filter established for say  Purchasing, allowing  them extra leeway on what they can access, but the  members of that group  cannot authenticate, and thus their filter is not  applied.

 

Application of filters is essential to Scansafe, without, it defeats the purpose

 

I appreciate all the help I can get on this.

 

Here is what my logs show regarding LDAP BINDING OPERATION, from # debug ldap all:

 

 

-- Testing with jltestuser (this is just any random user, as all users are failing anyway)

 

 

barra-gate#

051646: Aug 23 23:10:34.983 BRST: LDAP: LDAP: Queuing AAA request 0 for processing

051647: Aug 23 23:10:34.983 BRST: LDAP: Received queue event, new AAA request

051648: Aug 23 23:10:34.983 BRST: LDAP: LDAP authentication request

051649: Aug 23 23:10:34.983 BRST: LDAP: Invalid hash index 512, nothing to remove

051650: Aug 23 23:10:34.983 BRST: LDAP: New LDAP request

051651: Aug 23 23:10:34.983 BRST: LDAP: Attempting first  next available LDAP server

051652: Aug 23 23:10:34.983 BRST: LDAP: Got next LDAP server :<Removed server name...>

051653: Aug 23 23:10:34.983 BRST: LDAP: First Task: Send bind req

051654: Aug 23 23:10:34.983 BRST: LDAP: Authentication policy: bind-first

051655:  Aug 23 23:10:34.983 BRST: LDAP: Bind:  User-DN=cn=jltestuser,CN=Users,DC=<removed>,DC=<removed>,DC=com  ldap_req_encode

Doing socket write

051656: Aug 23 23:10:34.983 BRST: LDAP:  LDAP bind request sent successfully (reqid=92)

051657: Aug 23 23:10:34.983 BRST: LDAP: Sent transit request to server

051658: Aug 23 23:10:34.983 BRST: LDAP: LDAP request successfully processed

051659: Aug 23 23:10:35.539 BRST: LDAP: Received socket event

051660: Aug 23 23:10:35.539 BRST: LDAP: Process socket event for socket = 0

051661: Aug 23 23:10:35.539 BRST: LDAP: Conn Status = 4

051662: Aug 23 23:10:35.539 BRST: LDAP: Non-TLS read event on socket 0

051663: Aug 23 23:10:35.539 BRST: LDAP: Found socket ctx

051664: Aug 23 23:10:35.539 BRST: LDAP: Receive event: read=1, errno=11 (Resource temporarily unavailable)

051665: Aug 23 23:10:35.539 BRST: LDAP: Passing the client ctx=1855243Cldap_result

wait4msg (timeout 0 sec, 1 usec)

ldap_select_fd_wait (select)

ldap_read_activity lc 0x1AADABD8

 

Doing socket read

LDAP-TCP:Bytes read = 110

ldap_match_request succeeded for msgid 7 h 0

changing lr 0x11A14BFC to COMPLETE as no continuations

removing request 0x11A14BFC from list as lm 0x1AAB8494 all 0

ldap_msgfree

ldap_msgfree

 

051666: Aug 23 23:10:35.539 BRST: LDAP: LDAP Messages to be processed: 1

051667: Aug 23 23:10:35.539 BRST: LDAP: LDAP Message type: 97

051668: Aug 23 23:10:35.539 BRST: LDAP: Got ldap transaction context from reqid 92ldap_parse_result

 

051669: Aug 23 23:10:35.539 BRST: LDAP: resultCode:    49     (Invalid credentials)

051670: Aug 23 23:10:35.539 BRST: LDAP: Received Bind Responseldap_parse_result

ldap_err2string

 

051671: Aug 23 23:10:35.539 BRST: LDAP: Ldap Result Msg: FAILED:Invalid credentials, Result code =49

051672:  Aug 23 23:10:35.539 BRST: LDAP: LDAP Bind operation result : failed   <<<<<<<<<<-----------------------LOOK!!!!!

051673: Aug 23 23:10:35.539 BRST: LDAP: Connection <REMOVED...>0 already exist for reuseldap_msgfree

 

051674: Aug 23 23:10:35.539 BRST: LDAP: Closing transaction and reporting error to AAA

051675: Aug 23 23:10:35.539 BRST: LDAP: Transaction context removed from list [ldap reqid=92]

051676: Aug 23 23:10:35.539 BRST: LDAP: Notifying AAA: REQUEST FAILED

051677: Aug 23 23:10:35.539 BRST: LDAP: Received socket event

 

 

 

--- Testing with the scansafe assigned user that binds to the Bind DN. This is the only user that succeeds authentication!!!!

 

 

 

barra-gate#

051684: Aug 23 23:13:57.664 BRST: LDAP: LDAP: Queuing AAA request 0 for processing

051685: Aug 23 23:13:57.664 BRST: LDAP: Received queue event, new AAA request

051686: Aug 23 23:13:57.664 BRST: LDAP: LDAP authentication request

051687: Aug 23 23:13:57.664 BRST: LDAP: Invalid hash index 512, nothing to remove

051688: Aug 23 23:13:57.664 BRST: LDAP: New LDAP request

051689: Aug 23 23:13:57.664 BRST: LDAP: Attempting first  next available LDAP server

051690: Aug 23 23:13:57.664 BRST: LDAP: Got next LDAP server :<Removed server name...>

051691: Aug 23 23:13:57.664 BRST: LDAP: First Task: Send bind req

051692: Aug 23 23:13:57.664 BRST: LDAP: Authentication policy: bind-first

051693:  Aug 23 23:13:57.664 BRST: LDAP: Bind: User-DN=cn=<Userid  removed>,CN=Users,DC=<removed>,<removed>,DC=comldap_req_encode

Doing socket write

051694: Aug 23 23:13:57.664 BRST: LDAP:  LDAP bind request sent successfully (reqid=93)

051695: Aug 23 23:13:57.664 BRST: LDAP: Sent transit request to server

051696: Aug 23 23:13:57.664 BRST: LDAP: LDAP request successfully processed

051697: Aug 23 23:13:58.164 BRST: LDAP: Received socket event

051698: Aug 23 23:13:58.164 BRST: LDAP: Process socket event for socket = 0

051699: Aug 23 23:13:58.164 BRST: LDAP: Conn Status = 4

051700: Aug 23 23:13:58.164 BRST: LDAP: Non-TLS read event on socket 0

051701: Aug 23 23:13:58.164 BRST: LDAP: Found socket ctx

051702: Aug 23 23:13:58.164 BRST: LDAP: Receive event: read=1, errno=11 (Resource temporarily unavailable)

051703: Aug 23 23:13:58.164 BRST: LDAP: Passing the client ctx=1855243Cldap_result

wait4msg (timeout 0 sec, 1 usec)

ldap_select_fd_wait (select)

ldap_read_activity lc 0x1AADABD8

 

Doing socket read

LDAP-TCP:Bytes read = 22

ldap_match_request succeeded for msgid 8 h 0

changing lr 0x11A14BFC to COMPLETE as no continuations

removing request 0x11A14BFC from list as lm 0x1AAB9D14 all 0

ldap_msgfree

ldap_msgfree

 

051704: Aug 23 23:13:58.164 BRST: LDAP: LDAP Messages to be processed: 1

051705: Aug 23 23:13:58.164 BRST: LDAP: LDAP Message type: 97

051706: Aug 23 23:13:58.164 BRST: LDAP: Got ldap transaction context from reqid 93ldap_parse_result

 

051707: Aug 23 23:13:58.164 BRST: LDAP: resultCode:    0     (Success)

051708: Aug 23 23:13:58.168 BRST: LDAP: Received Bind Responseldap_parse_result

 

051709: Aug 23 23:13:58.168 BRST: LDAP: Ldap Result Msg: SUCCESS, Result code =0

051710:  Aug 23 23:13:58.168 BRST: LDAP: LDAP Bind successful for  DN:cn=<removed>CN=Users,DC=<removed>,DC=<removed>,DC=com

 

 


Thank You!
17 REPLIES 17
kussriva
Beginner

Hi Joe,

I would like to point out few things regarding the configuration:

- Please make sure you are running code: 15.3(3)M as that is the current stable release for ISR Connector.

- Could you please provide the relevant LDAP config as well for verification?

Also I had seen this issue once when in the LDAP configuration. In that case, the base-dn was configured as the domain and it was not working. We changed the configuration and specified the OU in which the users resided in the base-dn and it started to work fine.

Regards,

Kush

Cisco PDI Help Desk

http://www.cisco.com/go/pdihelpdesk