08-12-2015 10:21 AM - edited 03-10-2019 10:58 PM
Hope this is the right category for this issue...
I am trying to set up SSL VPN for my users with an ASA. I am using a 5505 in my lab. The VPN users will need to authenticate against the Active Directory. I set up the AAA server using LDAP to a Microsoft server. Everything works fine without any encryption. If I try to use LDAP over SSL or use SASL MD5 authentication, it errors out on me. I've spoken with the Active Directory admins in our company and they stated that SSL over port 636 does not work, but that TLS over port 389 does. They have tested this with the Microsoft LDAP admin tool.
Is there an option for using LDAP over TLS? I tried setting it to use SSL on port 389, but it didn't work. Also, if I try to turn on the SASL MD5 authentication, the debug tells me that "another step is needed in authentication".
Debug output from trying to use MD5:
FWANLAB# test aaa-server authentication Buckeye-AD host 172.16.173.75 username... INFO: Attempting Authentication test to IP address <172.16.173.75> (timeout: 10 seconds) [-2147483630] Session Start [-2147483630] New request Session, context 0xcce4a35c, reqType = Authentication [-2147483630] Fiber started [-2147483630] Creating LDAP context with uri=ldap://172.16.173.75:389 [-2147483630] Connect to LDAP server: ldap://172.16.173.75:389, status = Successful [-2147483630] supportedLDAPVersion: value = 3 [-2147483630] supportedLDAPVersion: value = 2 [-2147483630] Binding as VPN LDAP [-2147483630] Performing SASL authentication for VPN LDAP to 172.16.173.75 [-2147483630] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 [-2147483630] hostname = 172.16.173.75 [-2147483630] SASL authentication start with mechanism DIGEST-MD5 for VPN LDAP [-2147483630] getsimple:4002 [VPN LDAP] [-2147483630] getsimple:4001 [VPN LDAP] [-2147483630] getsecret: [***************] [-2147483630] SASL step for VPN LDAP returned code (1) another step is needed in authentication [-2147483630] SASL authentication for VPN LDAP with mechanism DIGEST-MD5 rejected [-2147483630] Failed to bind as administrator returned code (-1) Can't contact LDAP server [-2147483630] Fiber exit Tx=632 bytes Rx=912 bytes, status=-2 [-2147483630] Session End ERROR: Authentication Server not responding: AAA Server has been removed FWANLAB# test aaa-server authentication Buckeye-AD host 172.16.173.75 username$ INFO: Attempting Authentication test to IP address <172.16.173.75> (timeout: 10 seconds)
I haven't been able to find any information on this last issue. I've tried various combinations with the two settings (SSL and MD5), but can't get either one to work.
The ASA 5505 is running Version 9.1(6)8.
Current config that works without encryption:
aaa-server Buckeye-AD protocol ldap
aaa-server Buckeye-AD (inside) host 172.16.173.75
timeout 5
server-port 389
ldap-base-dn dc=buckeyehq, dc=com
ldap-group-base-dn dc=buckeyehq, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=VPN LDAP,OU=Service Accounts,DC=buckeyehq,DC=com
server-type microsoft
If anyone can point me in the right direction, I'd appreciate it.
09-15-2016 11:31 AM
Here is the solution....
#first create the AAA server group and select protocol LDAP the name can what you like
aaa-server LDAP-XXX-AD protocol ldap
#Second associate ldap maps to server
ldap attribute-map LDAP_memberOf_ServiceType
#Third Associate values to the ldap map - this is what determines what members will have access by linking to a AD group. memberOf is case specific and translates to what type of LDAP query is being made.
map-name memberOf IETF-Radius-Service-Type -
map-value memberOf memberOf CN=Group which should have access,OU=Network,OU=Security,OU=DOMAIN
#Fifth Create AAA server
aaa-server LDAP-SOS-AD (outside) host 'IP ADDRESS'
ldap-base-dn 'OU Where the users will reside' DC=XXX,DC=XXX.DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password #Password for account which allows access to AD
ldap-login-dn #Username for account which allows access to AD
server-type microsoft
ldap-attribute-map LDAP_memberOf_ServiceType #LDAP Attribute name
#Seven enable AAA for SSH AND enable
aaa authentication ssh console LDAP-XXX-AD LOCAL
aaa authentication enable console LDAP-XXX-AD LOCAL
I hope this helps.
09-15-2016 11:38 AM
Thanks christophergday. Unfortunately a little late. I no longer have the lab ASA to validate the setup. The company wound up purchasing some Pulse Secure gear.
11-20-2016 02:17 PM
Hi ChristopherGDay,
I have the same problem as jlmickens but unfortunately I can't make your solution work. Could you take a look at my config and debug log to see if you find Something ?
ldap attribute-map VPNUSERSGROUP
map-name memberOf IETF-Radius-Service-Type
map-value memberOf memberOf CN=VPNUSERS,OU=Multi-site,OU=Permissions,OU=Groups,OU=VMG,DC=ad,DC=mydomain,DC=com
aaa-server VMG_LDAP protocol ldap
aaa-server VMG_LDAP (VRFPrivate) host 192.168.110.11
ldap-base-dn cn=Users,dc=ad,dc=mydomain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cvl-asa-5505-f1@ad.mydomain.com
sasl-mechanism digest-md5
server-type microsoft
ldap-attribute-map VPNUSERSGROUP
group-policy ikev2-policy internal
group-policy ikev2-policy attributes
vpn-tunnel-protocol ikev2
group-policy VPNUSERSPOLICY internal
group-policy VPNUSERSPOLICY attributes
wins-server none
dns-server value 192.168.110.11 192.168.110.6
vpn-filter value VPNUSERS
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
default-domain value ad.mydomain.com
tunnel-group VPNUSERS type remote-access
tunnel-group VPNUSERS general-attributes
address-pool VPNPOOL
authentication-server-group VMG_LDAP
default-group-policy VPNUSERSPOLICY
tunnel-group VPNUSERS webvpn-attributes
group-alias VPNUSERS enable
If I remove the line "authentication-server-group VMG_LDAP" everything works perfectly (with a local used). But as soon as I add it, I can't authenticate. Here is the debug I get:
# test aaa-server authentication VMG_LDAP host 192.168.110.11 username CVL-ASA-5505-F1 password ********
Any idea ?
Any help would be greatly appreciated.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide