08-16-2018 03:14 AM
Hello, I'm implementing new VPN collector. I need to associate group-policy through AD group membership.
I have ASAx multiple context appliance.
This is the current configiration:
aaa-server XXXXXX protocol ldap
aaa-server XXXXXX (inside) host X.X.X.X
ldap-base-dn DC=UUUU,DC=UUUUU
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapbind
server-type microsoft
ldap-attribute-map Gruppi_LDAP
aaa-server XXXXXX (inside) host X.X.X.X
ldap-base-dn DC=aolc,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldapbind
server-type microsoft
ldap-attribute-map Gruppi_LDAP
ldap attribute-map Gruppi_LDAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXXXXXXXx,DC=XXXXXXXX,DC=XXXXXXXXX" POLICY-VPN
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
group-policy POLICY-VPN internal
group-policy POLICY-VPN attributes
dns-server value X.X.X.X X.X.X.X
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-filter value VPN-UFFICIO-INFORMATICO
vpn-tunnel-protocol ssl-client
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN
authentication-server-group XXXXXX
default-group-policy NOACCESS
If I try authentication through cli, all is ok.
INFO: Attempting Authentication test to IP address (X.X.X.X) (timeout: 12 seconds)
[-2147483632] Session Start
[-2147483632] New request Session, context 0x00002aab10597928, reqType = Authentication
[-2147483632] Fiber started
[-2147483632] Creating LDAP context with uri=ldap://X.X.X.X:389
[-2147483632] Connect to LDAP server: ldap://X.X.X.X:389, status = Successful
[-2147483632] supportedLDAPVersion: value = 3
[-2147483632] supportedLDAPVersion: value = 2
[-2147483632] Binding as ldapbind
[-2147483632] Performing Simple authentication for ldapbind to X.X.X.X
[-2147483632] LDAP Search:
Base DN = [DC=xxx,DC=xxxxx]
Filter = [sAMAccountName=trial-user]
Scope = [SUBTREE]
[-2147483632] User DN = [CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx]
[-2147483632] Talking to Active Directory server X.X.X.X
[-2147483632] Reading password policy for trial-user, dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx
[-2147483632] Read bad password count 0
[-2147483632] Binding as trial-user
[-2147483632] Performing Simple authentication for trial-user to X.X.X.X
[-2147483632] Processing LDAP response for user trial-user
[-2147483632] Message (trial-user):
[-2147483632] Authentication successful for trial-user to X.X.X.X
[-2147483632] Retrieved User Attributes:
[-2147483632] objectClass: value = top
[-2147483632] objectClass: value = person
[-2147483632] objectClass: value = organizationalPerson
[-2147483632] objectClass: value = user
[-2147483632] cn: value = trial-user
[-2147483632] givenName: value = trial-user
[-2147483632] distinguishedName: value = CN=trial-user,dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=x
[-2147483632] instanceType: value = 4
[-2147483632] whenCreated: value = 20161021151630.0Z
[-2147483632] whenChanged: value = 20180816093108.0Z
[-2147483632] displayName: value = trial-user
[-2147483632] uSNCreated: value = 47800
[-2147483632] memberOf: value = CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXX
[-2147483632] mapped to IETF-Radius-Class: value = POLICY-VPN
[-2147483632] mapped to LDAP-Class: value = POLICY-VPN
[-2147483632] uSNChanged: value = 117759399
[-2147483632] proxyAddresses: value = x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
[-2147483632] name: value = trial-user
[-2147483632] objectGUID: value = =.....GF..t).9%.
[-2147483632] userAccountControl: value = 512
[-2147483632] badPwdCount: value = 0
[-2147483632] codePage: value = 0
[-2147483632] countryCode: value = 0
[-2147483632] homeDirectory: value =
[-2147483632] homeDrive: value = X:
[-2147483632] badPasswordTime: value = 131788855117568122
[-2147483632] lastLogoff: value = 0
[-2147483632] lastLogon: value = 131786432079238875
[-2147483632] logonHours: value = .....................
[-2147483632] pwdLastSet: value = 131788854689281980
[-2147483632] primaryGroupID: value = 513
[-2147483632] objectSid: value = ..............U..9"...|#uF..
[-2147483632] accountExpires: value = 0
[-2147483632] logonCount: value = 83
[-2147483632] sAMAccountName: value = trial-user
[-2147483632] sAMAccountType: value = 805306368
[-2147483632] legacyExchangeDN: value =
[-2147483632] userPrincipalName: value = trial-user@xxxxxxxx.x
[-2147483632] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[-2147483632] dSCorePropagationData: value = 20180620111125.0Z
[-2147483632] dSCorePropagationData: value = 20180406141225.0Z
[-2147483632] dSCorePropagationData: value = 20171121092406.0Z
[-2147483632] dSCorePropagationData: value = 20171121092324.0Z
[-2147483632] dSCorePropagationData: value = 16010714223233.0Z
[-2147483632] lastLogonTimestamp: value = 131786432079238875
[-2147483632] mAPIRecipient: value = TRUE
[-2147483632] protocolSettings: value = OWA..1
[-2147483632] protocolSettings: value = HTTP..1..1............
[-2147483632] msExchPreviousRecipientTypeDetails: value = 1
[-2147483632] msExchRecipientSoftDeletedStatus: value = 0
[-2147483632] msExchShadowMailNickname: value = trial-user
[-2147483632] msDS-ExternalDirectoryObjectId: value = User_72fcde18-d0b7-48cd-b158-dbf3b25cde1d
[-2147483632] msExchShadowProxyAddresses: value = SMTP:trial-user@asst-lecco.it
[-2147483632] msExchUMDtmfMap: value = emailAddress:7288663
[-2147483632] msExchUMDtmfMap: value = lastNameFirstName:7288663
[-2147483632] msExchUMDtmfMap: value = firstNameLastName:7288663
[-2147483632] msExchWhenMailboxCreated: value = 20170119081242.0Z
[-2147483632] Fiber exit Tx=588 bytes Rx=3845 bytes, status=1
[-2147483632] Session End
INFO: Authentication Successful
If I try authentication with Anyconnect the debug output is this:
asaX1/internet(config)# #0x00002aaaef7d2e00 (POST). Request line:/
#0x00002aaaef7d2e00 File to execute: /CSCOSSLC/config-auth
/CSCOSSLC/config-auth
Processing client request
XML successfully parsed
Processing request (init)
INIT-no-cert: Client has not sent a certificate
INIT-no-cert: Resolve tunnel group (DefaultWEBVPNGroup) alias (NULL) Cert or URL mapped NO
INIT-no-cert: Client advertised multi-cert authentication support
[10118226] Created auth info for client X.X.X.X
[10118226] Started timer (3 mins) for auth info for client X.X.X.X
Generating auth request
rcode from handler = 0
Sending response
#0x00002aaaef7d3580 (POST). Request line:/
#0x00002aaaef7d3580 File to execute: /CSCOSSLC/config-auth
/CSCOSSLC/config-auth
Processing client request
XML successfully parsed
Processing request (auth-reply)
auth-reply:[10118226] searching for authinfo
[10118226] Found auth info for client X.X.X.X, update expire timer (3 mins)
Found tunnel group (DefaultWEBVPNGroup) alias NULL
Auth-reply: no AAA handle, opening
Opened AAA handle 1862722
Making AAA request for user trial-user
[28319] Session Start
[28319] New request Session, context 0x00002aab10597928, reqType = Authentication
[28319] Fiber started
[28319] Creating LDAP context with uri=ldap://X.X.X.X:389
[28319] Connect to LDAP server: ldap://X.X.X.X:389, status = Successful
[28319] supportedLDAPVersion: value = 3
[28319] supportedLDAPVersion: value = 2
[28319] Binding as ldapbind
[28319] Performing Simple authentication for ldapbind to X.X.X.X
[28319] LDAP Search:
Base DN = [DC=XXXX,DC=lXXXXX]
Filter = [sAMAccountName=trial-user]
Scope = [SUBTREE]
[28319] User DN = User DN = [CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx]
[28319] Talking to Active Directory server X.X.X.X
[28319] Reading password policy for trial-user, dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=xxxxx
[28319] Read bad password count 0
[28319] Binding as trial-user
[28319] Performing Simple authentication for trial-user to X.X.X.X
[28319] Processing LDAP response for user trial-user
[28319] Message (trial-user):
[28319] Authentication successful for trial-user to X.X.X.X
[28319] Retrieved User Attributes:
[28319] objectClass: value = top
[28319] objectClass: value = person
[28319] objectClass: value = organizationalPerson
[28319] objectClass: value = user
[28319] cn: value = trial-user
[28319] givenName: value = trial-user
[28319] distinguishedName: value = CN=trial-user,dn:CN=xxxxx,OU=xxxxxx,OU=xxxxxxxx xxxxxxxxx,OU=xxxxxxx,DC=xxx,DC=x
[28319] instanceType: value = 4
[28319] whenCreated: value = 20161021151630.0Z
[28319] whenChanged: value = 20180816093113.0Z
[28319] displayName: value = trial-user
[28319] uSNCreated: value = 47512
[28319] memberOf: value = CN=trial-group,OU=XXXXx,OU=XXXXXXXXX,OU=XXXXXXXXXXXXXX,OU=XXXXX
[28319] mapped to IETF-Radius-Class: value = POLICY-VPN
[28319] mapped to LDAP-Class: value = POLICY-VPN
[28319] uSNChanged: value = 96045593
[28319] proxyAddresses: value = x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
[28319] name: value = trial-user
[28319] objectGUID: value = =.....GF..t).9%.
[28319] userAccountControl: value = 512
[28319] badPwdCount: value = 0
[28319] codePage: value = 0
[28319] countryCode: value = 0
[28319] homeDirectory: value =
[28319] homeDrive: value = X:
[28319] badPasswordTime: value = 131788855117555151
[28319] lastLogoff: value = 0
[28319] lastLogon: value = 131788857300261619
[28319] logonHours: value = .....................
[28319] pwdLastSet: value = 131788854689281980
[28319] primaryGroupID: value = 513
[28319] objectSid: value = ..............U..9"...|#uF..
[28319] accountExpires: value = 0
[28319] logonCount: value = 62
[28319] sAMAccountName: value = trial-user
[28319] sAMAccountType: value = 805306368
[28319] legacyExchangeDN: value = /o=AOLC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=patt
[28319] userPrincipalName: value = trial-user@xxxxxxxx.x
[28319] objectCategory: value = objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=xxxxx
[28319] dSCorePropagationData: value = 20180620111130.0Z
[28319] dSCorePropagationData: value = 20180406141217.0Z
[28319] dSCorePropagationData: value = 20171121092414.0Z
[28319] dSCorePropagationData: value = 20171121092329.0Z
[28319] dSCorePropagationData: value = 16010714223233.0Z
[28319] lastLogonTimestamp: value = 131786432079238875
[28319] mAPIRecipient: value = TRUE
[28319] protocolSettings: value = OWA..1
[28319] protocolSettings: value = HTTP..1..1............
[28319] msExchPreviousRecipientTypeDetails: value = 1
[28319] msExchRecipientSoftDeletedStatus: value = 0
[28319] msExchShadowMailNickname: value = trial-user
[28319] msDS-ExternalDirectoryObjectId: value = User_72fcde18-d0b7-48cd-b158-dbf3b25cde1d
[28319] msExchShadowProxyAddresses: value = SMTP:trial-user@xxxxxxxx.x
[28319] msExchUMDtmfMap: value = emailAddress:7288663
[28319] msExchUMDtmfMap: value = lastNameFirstName:7288663
[28319] msExchUMDtmfMap: value = firstNameLastName:7288663
[28319] msExchWhenMailboxCreated: value = 20170119081242.0Z
[28319] Fiber exit Tx=588 bytes Rx=3844 bytes, status=1
[28319] Session End
AAA request finished
Auth Failed, generating auth request
rcode from handler = 0
Sending response
Closing AAA handle 1862722
Anyone can help me about this authentication issue?
08-16-2018 03:54 PM
I suggest verifying your config against the documented steps @
How To Configure Posture with AnyConnect Compliance Module and ISE 2.0
Otherwise troubleshooting is best done with TAC.
08-18-2018 11:40 AM
Configuration verified, but nothing else...
I tried to follow the link posted for the common part, but nothing different...
The ISE section has not been considered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide