Hello,
I'm trying to get SSL VPN users to authenticate to AD, I've tried many configuration examples on the web, all are different is some way but I've nearly got it working, as the "deb ldap 255" looks like its successful yet the AnyConnect displays "Login Failed"
Please see below and if you can suggest anything I'd much appriecte it
Regards Tony
Config....
ldap attribute-map OCT-VPN
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co.uk" GP-AllowVPN
aaa-server TEST_SERVER protocol ldap
aaa-server TEST_SERVER (inside) host 192.168.100.1
ldap-base-dn DC=customer,DC=co,DC=uk
ldap-group-base-dn CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=VPN Access,OU=Service Accounts,OU=IT,OU=London,DC=customer,DC=co,DC=uk
server-type microsoft
ldap-attribute-map OCT-VPN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
group-policy GP-AllowVPN internal
group-policy GP-AllowVPN attributes
dns-server value 192.168.100.1
vpn-simultaneous-logins 2
vpn-tunnel-protocol ssl-client
default-domain value customer.co.uk
webvpn
anyconnect ask none
group-policy GP-DenyVPN internal
group-policy GP-DenyVPN attributes
vpn-simultaneous-logins 0
tunnel-group ACMEORG_SSL-VPN type remote-access
tunnel-group ACMEORG_SSL-VPN general-attributes
address-pool ACMEORGSSL_Pool
authentication-server-group TEST_SERVER LOCAL
authorization-server-group TEST_SERVER
default-group-policy GP-DenyVPN
tunnel-group ACMEORG_SSL-VPN webvpn-attributes
group-alias SSL-VPN enable
!
It looks ok but the AnyConnect client gets a "login failed" message!
[23] Session Start
[23] New request Session, context 0xcb23850c, reqType = Authentication
[23] Fiber started
[23] Creating LDAP context with uri=ldap://192.168.100.1:389
[23] Connect to LDAP server: ldap://192.168.100.1:389, status = Successful
[23] supportedLDAPVersion: value = 3
[23] supportedLDAPVersion: value = 2
[23] Binding as VPN Access
[23] Performing Simple authentication for VPN Access to 192.168.100.1
[23] LDAP Search:
Base DN = [DC=customer,DC=co,DC=uk]
Filter = [sAMAccountName=test_permit]
Scope = [SUBTREE]
[23] User DN = [CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk]
[23] Talking to Active Directory server 192.168.100.1
[23] Reading password policy for test_permit, dn:CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] Read bad password count 0
[23] Binding as test_permit
[23] Performing Simple authentication for test_permit to 192.168.100.1
[23] Processing LDAP response for user test_permit
[23] Message (test_permit):
[23] Authentication successful for test_permit to 192.168.100.1
[23] Retrieved User Attributes:
[23] objectClass: value = top
[23] objectClass: value = person
[23] objectClass: value = organizationalPerson
[23] objectClass: value = user
[23] cn: value = test_permit
[23] givenName: value = test_permit
[23] distinguishedName: value = CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] instanceType: value = 4
[23] whenCreated: value = 20140129161810.0Z
[23] whenChanged: value = 20140205152134.0Z
[23] displayName: value = test_permit
[23] uSNCreated: value = 17778031
[23] memberOf: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] mapped to IETF-Radius-Class: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] mapped to LDAP-Class: value = CN=VPNUsers,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[23] uSNChanged: value = 17810714
[23] name: value = test_permit
[23] objectGUID: value = .f%o..ZK..2d.u..
[23] userAccountControl: value = 512
[23] badPwdCount: value = 0
[23] codePage: value = 0
[23] countryCode: value = 0
[23] badPasswordTime: value = 130360918828015446
[23] lastLogoff: value = 0
[23] lastLogon: value = 130360918934996451
[23] pwdLastSet: value = 130360082489276782
[23] primaryGroupID: value = 513
[23] userParameters: value = m: d.
[23] objectSid: value = .............^)...y....[!...
[23] accountExpires: value = 9223372036854775807
[23] logonCount: value = 0
[23] sAMAccountName: value = test_permit
[23] sAMAccountType: value = 805306368
[23] userPrincipalName: value = test_permit@customer.co.uk
[23] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=customer,DC=co,DC=uk
[23] msNPAllowDialin: value = TRUE
[23] lastLogonTimestamp: value = 130359170029583663
[23] Fiber exit Tx=634 bytes Rx=2744 bytes, status=1
[23] Session End
I typed an incorrect password here to see what the output looked like too....
[25] Session Start
[25] New request Session, context 0xcb23850c, reqType = Authentication
[25] Fiber started
[25] Creating LDAP context with uri=ldap://192.168.100.1:389
[25] Connect to LDAP server: ldap://192.168.100.1:389, status = Successful
[25] supportedLDAPVersion: value = 3
[25] supportedLDAPVersion: value = 2
[25] Binding as VPN Access
[25] Performing Simple authentication for VPN Access to 192.168.100.1
[25] LDAP Search:
Base DN = [DC=customer,DC=co,DC=uk]
Filter = [sAMAccountName=test_permit]
Scope = [SUBTREE]
[25] User DN = [CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk]
[25] Talking to Active Directory server 192.168.100.1
[25] Reading password policy for test_permit, dn:CN=test_permit,OU=Security Groups,OU=London,DC=customer,DC=co,DC=uk
[25] Read bad password count 0
[25] Binding as test_permit
[25] Performing Simple authentication for test_permit to 192.168.100.1
[25] Simple authentication for test_permit returned code (49) Invalid credentials
[25] Message (test_permit): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
[25] Invalid password for test_permit
[25] Fiber exit Tx=625 bytes Rx=2831 bytes, status=-1
[25] Session End
Any help appreicated
