ASA 8.2.5 LDAP authentication by memberof doesn't always work

cmcbride · ‎06-22-2011

I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for. I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.

Config:

aaa-server AD protocol ldap

aaa-server AD (inside) host btfs2

ldap-base-dn dc=localdomain,dc=com

ldap-scope subtree

ldap-naming-attribute samAccountName

ldap-login-password *****

ldap-login-dn svc-cisco@localdomain.com

server-type microsoft

ldap-attribute-map VPNGroup

ldap attribute-map VPNGroup

map-name memberOf IETF-Radius-Class

map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec svc

webvpn

svc ask none default svc

group-policy btvpn internal

group-policy btvpn attributes

banner value This is a private data network. All connections are logged and are subject to

banner value monitoring. Unauthorized access is prohibited and will be prosecuted.

dns-server value 10.0.0.x 10.0.0.y

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun

default-domain value localdomain.com

webvpn

svc keep-installer installed

svc rekey time 120

svc rekey method ssl

svc ask enable default svc

tunnel-group btvpn type remote-access

tunnel-group btvpn general-attributes

address-pool vpnpool

authentication-server-group AD LOCAL

default-group-policy NOACCESS

tunnel-group btvpn webvpn-attributes

group-alias webvpn enable

tunnel-group btvpn ipsec-attributes

pre-shared-key *****

Non-working user:

[1575] Session Start

[1575] New request Session, context 0xd7fbf210, reqType = Authentication

[1575] Fiber started

[1575] Creating LDAP context with uri=ldap://10.0.0.x:389

[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful

[1575] supportedLDAPVersion: value = 3

[1575] supportedLDAPVersion: value = 2

[1575] Binding as svc-cisco@localdomain.com

[1575] Performing Simple authentication for svc-cisco@localdomain.com to 10.0.0.x

[1575] LDAP Search:

Base DN = [dc=localdomain,dc=com]

Filter = [samAccountName=cmcbride]

Scope = [SUBTREE]

[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]

[1575] Talking to Active Directory server 10.0.0.x

[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com

[1575] Binding as cmcbride

[1575] Performing Simple authentication for cmcbride to 10.0.0.x

[1575] Processing LDAP response for user cmcbride

[1575] Message (cmcbride):

[1575] Authentication successful for cmcbride to 10.0.0.x

[1575] Retrieved User Attributes:

[1575] objectClass: value = top

[1575] objectClass: value = person

[1575] objectClass: value = organizationalPerson

[1575] objectClass: value = user

[1575] cn: value = Chris McBride

[1575] sn: value = McBride

[1575] l: value = Tulsa

[1575] description: value = cmcbride non-admin test account

[1575] givenName: value = Chris

[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co

[1575] displayName: value = Chris McBride

[1575] name: value = Chris McBride

[1575] objectGUID: value = ....5..L...[..K.

[1575] codePage: value = 0

[1575] countryCode: value = 0

[1575] primaryGroupID: value = 513

[1575] objectSid: value = ...............1...{C..2....

[1575] sAMAccountName: value = cmcbride

[1575] sAMAccountType: value = 805306368

[1575] userPrincipalName: value = cmcbride@localdomain.com

[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com

[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1

[1575] Session End

Working user:

[1585] Session Start

[1585] New request Session, context 0xd7fbf210, reqType = Authentication

[1585] Fiber started

[1585] Creating LDAP context with uri=ldap://10.0.0.x:389

[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful

[1585] supportedLDAPVersion: value = 3

[1585] supportedLDAPVersion: value = 2

[1585] Binding as svc-cisco@localdomain.com

[1585] Performing Simple authentication for svc-cisco@localdomain.com to 10.0.0.x

[1585] LDAP Search:

Base DN = [dc=localdomain,dc=com]

Filter = [samAccountName=cmcbride_a]

Scope = [SUBTREE]

[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]

[1585] Talking to Active Directory server 10.0.0.x

[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com

[1585] Read bad password count 0

[1585] Binding as cmcbride_a

[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x

[1585] Processing LDAP response for user cmcbride_a

[1585] Message (cmcbride_a):

[1585] Authentication successful for cmcbride_a to 10.0.0.x

[1585] Retrieved User Attributes:

[1585] objectClass: value = top

[1585] objectClass: value = person

[1585] objectClass: value = organizationalPerson

[1585] objectClass: value = user

[1585] cn: value = Admin Chris McBride

[1585] sn: value = McBride

[1585] description: value = PTC User, cjm 05312011

[1585] givenName: value = Chris

[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain

[1585] instanceType: value = 4

[1585] whenCreated: value = 20110525173004.0Z

[1585] whenChanged: value = 20110619154158.0Z

[1585] displayName: value = Admin Chris McBride

[1585] uSNCreated: value = 6188062

[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com

[1585] mapped to IETF-Radius-Class: value = btvpn

[1585] mapped to LDAP-Class: value = btvpn

[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t

[1585] mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com

[1585] mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com

[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585] mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585] mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585] mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585] uSNChanged: value = 6560745

[1585] name: value = Admin Chris McBride

[1585] objectGUID: value = ..Kj4..E..c.VCHT

[1585] userAccountControl: value = 512

[1585] badPwdCount: value = 0

[1585] codePage: value = 0

[1585] countryCode: value = 0

[1585] badPasswordTime: value = 129531669834218721

[1585] lastLogoff: value = 0

[1585] lastLogon: value = 129532463799841621

[1585] scriptPath: value = SLOGIC.BAT

[1585] pwdLastSet: value = 129508182041981337

[1585] primaryGroupID: value = 513

[1585] objectSid: value = ...............1...{C..2. ..

[1585] adminCount: value = 1

[1585] accountExpires: value = 9223372036854775807

[1585] logonCount: value = 90

[1585] sAMAccountName: value = cmcbride_a

[1585] sAMAccountType: value = 805306368

[1585] userPrincipalName: value = cmcbride_a@localdomain.com

[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com

[1585] dSCorePropagationData: value = 20110525174152.0Z

[1585] dSCorePropagationData: value = 16010101000000.0Z

[1585] lastLogonTimestamp: value = 129529717185508866

[1585] msTSExpireDate: value = 20110803160858.0Z

[1585] msTSLicenseVersion: value = 393216

[1585] msTSManagingLS: value = 92573-029-5868087-27549

[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1

[1585] Session End

Shaik Zubair · ‎06-30-2011

As far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.

the main reason could be that the username "svc-cisco@localdomain.com" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.

One thing you can try on the AD is to "Delegate Control" to this user (svc-cisco@localdomain.com) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.

Here is an external link just to give an idea about delegation of control to "Read all properties"

http://www.advproxy.net/ldapads.html

mike.bullock · ‎01-29-2013

I had an identical issue as OP. I was able to give 'ldap-login-dn' user Account Operator privielges and then succeeded in solving the issue. I am rating your post 5 star since it would have fixed me.