Hi Mdy, collect following

mikedeyoung · ‎05-20-2015

All,

I have configured ASA5515 WebVPN and well as LDAP integration with Windows Server 2012.

When my end-users open up Internet Explorer and navigate to HTTPs://VPN.COMPANY.COM and try to login the receive error "Login failed".

I am 99.99% certain the configuration is good because of the following reasons.

Reason#1: I have verified LDAP authentication works from the CLI... "test aaa-server authentication LDAP_SERVER host X.X.X.X username NAME password PASS"... I receive message "Authentication Successful".

Reason#2: I have enabled "debug ldap 255" and "debug webvpn" and generated debug output by attempting to login and it looks good...

[219247] Session Start
[219247] New request Session, context 0x00007fff2b71fca8, reqType = Authentication
[219247] Fiber started
[219247] Creating LDAP context with uri=ldap://x.x.x.x:389
[219247] Connect to LDAP server: ldap://x.x.x.x:389, status = Successful
[219247] supportedLDAPVersion: value = 3
[219247] supportedLDAPVersion: value = 2
[219247] Binding as Cisco Firewall
[219247] Performing Simple authentication for Cisco Firewall to x.x.x.x
[219247] LDAP Search:
Base DN = [dc=COMPANY,dc=LOCAL]
Filter = [sAMAccountName=username ]
Scope = [SUBTREE]
[219247] User DN = [CN=username lastname,CN=Users,DC=COMPANY,DC=LOCAL]
[219247] Talking to Active Directory server x.x.x.x
[219247] Reading password policy for username , dn:CN=username lastname,CN=Users,DC=COMPANY,DC=LOCAL
[219247] Read bad password count 0
[219247] Binding as username
[219247] Performing Simple authentication for username to x.x.x.x
[219247] Processing LDAP response for user username
[219247] Message (username ):
[219247] Authentication successful for username to x.x.x.x
[219247] Retrieved User Attributes:
[219247] objectClass: value = top
[219247] objectClass: value = person
[219247] objectClass: value = organizationalPerson
[219247] objectClass: value = user
[219247] cn: value = username lastname
[219247] sn: value = lastname
[219247] givenName: value = username
[219247] distinguishedName: value = CN=username lastname,CN=Users,DC=COMPANY,DC=LOCAL
[219247] instanceType: value = 4
[219247] whenCreated: value = 20150506160057.0Z
[219247] whenChanged: value = 20150520151111.0Z
[219247] displayName: value = username lastname
[219247] uSNCreated: value = 111226
[219247] memberOf: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247] mapped to Group-Policy: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247] mapped to LDAP-Class: value = CN=CiscoAnyconnect_COMPANY,CN=Users,DC=COMPANY,DC=LOCAL
[219247] uSNChanged: value = 120459
[219247] name: value = username lastname
[219247] objectGUID: value = .......C.......n
[219247] userAccountControl: value = 66048
[219247] badPwdCount: value = 0
[219247] codePage: value = 0
[219247] countryCode: value = 0
[219247] badPasswordTime: value = 0
[219247] lastLogoff: value = 0
[219247] lastLogon: value = 0
[219247] pwdLastSet: value = 130754016574937153
[219247] primaryGroupID: value = 513
[219247] objectSid: value = ............"s.!...!.:;.a...
[219247] accountExpires: value = 9223372036854775807
[219247] logonCount: value = 0
[219247] sAMAccountName: value = username
[219247] sAMAccountType: value = 805306368
[219247] userPrincipalName: value = username @company.LOCAL
[219247] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=COMPANY,DC=LOCAL
[219247] dSCorePropagationData: value = 16010101000000.0Z
[219247] lastLogonTimestamp: value = 130766082715215992
[219247] Fiber exit Tx=546 bytes Rx=2625 bytes, status=1
[219247] Session End
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = TG_ANYCONNECT_BIIT
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 7

Any ideas?

-mdy

Santhosha Shetty · ‎05-22-2015

Hi Mdy,

collect following along with ldap debug:

debug webvpn 127

debug webvpn any 127

debug dap trace 127

debug aaa common 127

... to turn off the debugs " undebug all"

Regards,

Santhosh

AnyConnect Weirdness