WEBVPN user authenticated through LDAP failure!

dugolotti · ‎03-01-2013

Hello,

I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect

users through LDAP. In a first step the logs shiw me this kind of error:

[-2147483632] Session Start

[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication

[-2147483632] Fiber started

[-2147483632] Creating LDAP context with uri=ldap://192.168.4.251:389

[-2147483632] Connect to LDAP server: ldap://192.168.4.251:389, status = Successful

[-2147483632] supportedLDAPVersion: value = 3

[-2147483632] supportedLDAPVersion: value = 2

[-2147483632] Binding as XUSERX

[-2147483632] Performing Simple authentication for XUSERX to 192.168.4.251

[-2147483632] Simple authentication for XUSERX returned code (8) Strong(er) authentication required

[-2147483632] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[-2147483632] Fiber exit Tx=211 bytes Rx=682 bytes, status=-2

[-2147483632] Session End

ERROR: Authentication Server not responding: AAA Server has been removed

So I've changed the aaa-server configuration in order to use a different method for SASL (digest-MD5),

following the logs:

test aaa-server authentication LDAP_SRV_GRP host 192.168.4.251 usernam$

INFO: Attempting Authentication test to IP address <ipc01> (timeout: 12 seconds)

[-2147483608] Session Start

[-2147483608] New request Session, context 0xade91d2c, reqType = Authentication

[-2147483608] Fiber started

[-2147483608] Creating LDAP context with uri=ldap://192.168.4.251:389

[-2147483608] Connect to LDAP server: ldap://192.168.4.251:389, status = Successful

[-2147483608] supportedLDAPVersion: value = 3

[-2147483608] supportedLDAPVersion: value = 2

[-2147483608] Binding as XUSERX

[-2147483608] Performing SASL authentication for XUSERX to 192.168.4.251

[-2147483608] Server supports the following SASL methods: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5

[-2147483608] hostname = 192.168.4.251

[-2147483608] SASL authentication start with mechanism DIGEST-MD5 for XUSERX

[-2147483608] getsimple:4002 [XUSERX]

[-2147483608] getsimple:4001 [XUSERX]

[-2147483608] getsecret: [*********]

[-2147483608] SASL step for XUSERX returned code (1) another step is needed in authentication

[-2147483608] SASL authentication for XUSERX with mechanism DIGEST-MD5 rejected

[-2147483608] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[-2147483608] Fiber exit Tx=616 bytes Rx=859 bytes, status=-2

[-2147483608] Session End

ERROR: Authentication Server not responding: AAA Server has been removed

It seems that I made one step forward but not solved the problem.

Could someone give me some suggestions?

Following the aaa-server configuration part:

ipcasa# sh run aaa-server

aaa-server LDAP_SRV_GRP protocol ldap

reactivation-mode depletion deadtime 1

aaa-server LDAP_SRV_GRP (corporate) host ipc01

server-port 389

ldap-base-dn dc=ipc, dc=local

ldap-scope subtree

ldap-login-password *****

ldap-login-dn cn=XUSERX, cn=users, dc=ipc, dc=local

sasl-mechanism digest-md5

server-type microsoft

aaa-server LDAP_SRV_GRP (corporate) host 192.168.4.253

server-port 389

ldap-base-dn dc=ipc, dc=it

ldap-scope subtree

ldap-login-password *****

ldap-login-dn cn=XUSERX, cn=users, dc=ipc, dc=local

sasl-mechanism digest-md5

server-type microsoft

aaa-server KRB01 protocol kerberos

aaa-server KRB01 (corporate) host 192.168.4.253

kerberos-realm IPC.LOCAL

Thanks in advance for any suggestions!

Denni

Keith Wood · ‎05-11-2015

Any resolution?

jan.nielsen · ‎05-12-2015

I'm pretty sure you need to use LDAP over SSL (port 686 i think), to have that work.