10-17-2012 02:32 PM - edited 03-11-2019 05:10 PM
I have an SSL (client) VPN set up on my ASA 5520. It worked with a self-signed certificate and one locally generated username/password. Taking the next step, I'm trying to get the firewall to connect to my Domain Controller via LDAP and authenticate against Active Directory. Server is running 2008.
Following these instructions: http://theitjanitor.com/configuring-cisco-asa-vp-with-active-directory-authentication/
I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.
Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
Can anyone help or at least point me in the right direction?
10-17-2012 03:02 PM
Hello Adam,
Is there a way you could post the VPN configuration and if you can run the LDAP debug for the Android user connection,
Regards,
10-19-2012 02:05 PM
10-20-2012 10:52 AM
Hello Adam,
You are missing the LDAP attribute mapping configuration,
Please configure that and let us know the result,
Regards
10-17-2012 10:05 PM
Hi Adam,
From the debug LDAP output, user authentication seems okay.
Nevertheless, no group-policy was mapped. You mentioned something about an LDAP attribute map, could you please attach the configuration of the specific profile, the AAA server and the LDAP attribute map involve during this connection attempt.
Also a "debug aaa common" would be very helpful.
Hope to help.
Portu.
Please rate any helpful posts.
10-19-2012 02:09 PM
10-20-2012 09:12 AM
Dear Adam,
From your previous post:
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = LOCAL, author svr =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
Interesting, according to your ouput I can conclude that, the Authentication server is the "LOCAL" database and the there is no authorization server.
Local authentication of user useradmin
authen svr = LOCAL, author svr =
So, I think you are trying to connect to:
tunnel-group VPN5 type remote-access
tunnel-group VPN5 general-attributes
address-pool VPN5Pool
authentication-server-group OWLDC1
default-group-policy VPN5GrpPolicy
dhcp-server 11.2.1.38
But it does not have any specific attributes defined either for IPsec or AnyConnect...
How are you trying to reach this group?
If with AnyConnect then make the following changes:
tunnel-group VPN5 webvpn-attributes
group-alias VPN5 enable
!
So next time you connect you will see the group-alias in the drop down menu option.
On the other hand, I do not see any LDAP attribute map. Please check this out to configure it:
PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login
Let me know if you have any questions.
Portu.
Please rate any helpful posts.
10-23-2012 07:35 AM
Per your and jcarvaja's instruction I added an LDAP attribute map and the "group-alias VPN5 enable" line. This allowed me to get one user I have set up, but not others. I can post debugs for that, but as of right now that isn't my main problem.
My main problem is this: When I used the ldp.exe program to navigate active directory via LDAP I see the OU's my users are located under and I see the CN entries for the individual users. The way we have our AD setup, the CN entires look like
My question is: Is there another attribute I can use to set as their username on the VPN?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide