ASA 5520 SSL VPN LDAP authentication problems

Adam Hudson · ‎10-17-2012

I have an SSL (client) VPN set up on my ASA 5520. It worked with a self-signed certificate and one locally generated username/password. Taking the next step, I'm trying to get the firewall to connect to my Domain Controller via LDAP and authenticate against Active Directory. Server is running 2008.

Following these instructions: http://theitjanitor.com/configuring-cisco-asa-vp-with-active-directory-authentication/

I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.

Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.

Can anyone help or at least point me in the right direction?

Julio Carvajal · ‎10-17-2012

Hello Adam,

Is there a way you could post the VPN configuration and if you can run the LDAP debug for the Android user connection,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Adam Hudson · ‎10-19-2012

jcarvaja, there's no ouput when I run "debug ldap 255" and try to connect with the Android phone. Attached is a text file that I believe is all of the vpn parts of my ASA config, certainly let me know if you need more.

Julio Carvajal · ‎10-20-2012

Hello Adam,

You are missing the LDAP attribute mapping configuration,

Please configure that and let us know the result,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Javier Portuguez · ‎10-17-2012

Hi Adam,

From the debug LDAP output, user authentication seems okay.

Nevertheless, no group-policy was mapped. You mentioned something about an LDAP attribute map, could you please attach the configuration of the specific profile, the AAA server and the LDAP attribute map involve during this connection attempt.

Also a "debug aaa common" would be very helpful.

Hope to help.

Portu.

Please rate any helpful posts.

Adam Hudson · ‎10-19-2012

Javier,

Attached to this response is the debug output. Hopefully the other information you're asking for is in the santized config I attached to the previous response. Please let me know if you need more.

Javier Portuguez · ‎10-20-2012

Dear Adam,

From your previous post:

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LOCAL, author svr = , user pol = , tunn pol = DfltGrpPolicy

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

Interesting, according to your ouput I can conclude that, the Authentication server is the "LOCAL" database and the there is no authorization server.

Local authentication of user useradmin

authen svr = LOCAL, author svr =

So, I think you are trying to connect to:

tunnel-group VPN5 type remote-access

tunnel-group VPN5 general-attributes

address-pool VPN5Pool

authentication-server-group OWLDC1

default-group-policy VPN5GrpPolicy

dhcp-server 11.2.1.38

But it does not have any specific attributes defined either for IPsec or AnyConnect...

How are you trying to reach this group?

If with AnyConnect then make the following changes:

tunnel-group VPN5 webvpn-attributes

group-alias VPN5 enable

!

So next time you connect you will see the group-alias in the drop down menu option.

On the other hand, I do not see any LDAP attribute map. Please check this out to configure it:

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login

Let me know if you have any questions.

Portu.

Please rate any helpful posts.

Adam Hudson · ‎10-23-2012

Per your and jcarvaja's instruction I added an LDAP attribute map and the "group-alias VPN5 enable" line. This allowed me to get one user I have set up, but not others. I can post debugs for that, but as of right now that isn't my main problem.

My main problem is this: When I used the ldp.exe program to navigate active directory via LDAP I see the OU's my users are located under and I see the CN entries for the individual users. The way we have our AD setup, the CN entires look like ./ (example: Smith,/ John) because we have their display names in AD set up as last name comma first name. I can't give my VPN user names like Smith,/ John to log in to the VPN.

My question is: Is there another attribute I can use to set as their username on the VPN?

Thanks,