Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3219
Views
3
Helpful
16
Replies

Help with Easy VPN Server with LDAP

Go to solution
ryan_david
Level 1
Level 1

‎08-28-2012 05:48 PM

Hi,

Previously, I was able to configure our Easy VPN Server with local authentication.

But now, I am trying to use LDAP authentication to match with our policies.

Can anybody help me please to check the config and tell me what is wrong with it?

My router is a Cisco1941/K9.

Thank you in advance.

Ryan


Current configuration : 5128 bytes
!
! Last configuration change at 13:25:16 UTC Tue Aug 28 2012 by admin
! NVRAM config last updated at 05:03:14 UTC Mon Aug 27 2012 by admin
! NVRAM config last updated at 05:03:14 UTC Mon Aug 27 2012 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server ldap ASIA-LDAP
server server1.domain.net
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ASIA-LDAP-AUTHE group ldap group ASIA-LDAP
aaa authorization network VPN_Cisco local
aaa authorization network ASIA-LDAP-AUTHO group ldap group ASIA-LDAP
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
!
!
!
!
!
ip domain name domain.net
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-765105936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-765105936
revocation-check none
rsakeypair TP-self-signed-765105936
!
!
crypto pki certificate chain TP-self-signed-765105936
certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37363531 30353933 36301E17 0D313230 36323630 39323033
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 35313035
  39333630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C1B7E661 4893D83A EFE44B76 92BAA71A 6375C854 88D49791 4533E51A 551D8EF7
  F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1B618390
  EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 74270D31 97270547
  4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680142E FF686472 569BCCF1 552B1200 D35060DB 5B660F30 1D060355
  1D0E0416 04142EFF 68647256 9BCCF155 2B1200D3 5060DB5B 660F300D 06092A86
  4886F70D 01010505 00038181 00558F64 05207D35 AA4BD086 4579ACF6 BCF6A851
  1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
  0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
  74D265DD 06251C7D 6EF39CE9 3D692763 FE03F795 AE865885 CFF660A5 4C1FF603
  3AF09B1E 243EA5ED 7E4C30B9 3A
        quit
license udi pid CISCO1941/K9 sn xxxxxxxxxxx

hw-module ism 0
!
!
!
username admin privilege 15 secret 5 $1$rVI4$WIP5x6at0b1Vot5LbdlGN/
username ryan privilege 0 password 0 pass1234
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group1
key xxxxxxxxxxxx
dns 10.127.8.20
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_Group1
   client authentication list ASIA-LDAP-AUTHE
   isakmp authorization list ASIA-LDAP-AUTHO
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
ip address 10.127.15.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.127.31.26 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.127.20.129 10.127.20.254
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.0.0.0 255.0.0.0 10.127.31.25
ip route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
!
!
!
!
ldap attribute-map ASIA-username-map
map type sAMAccountName username
!
ldap server server1.domain.net
ipv4 10.127.8.20
attribute map ASIA-username-map
bind authenticate root-dn CN=xxx\, S1234567,OU=Service Accounts,OU=Admin,OU=Acc
ounts,DC=domain,DC=net password password1
base-dn DC=domain,DC=net
authentication bind-first
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
end

Router#

Labels:
0 Helpful
16 Replies 16

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to ryan_david

‎08-30-2012 11:29 PM

Ryan,

It looks like you are running into the issue where this is documented in the section:

Issues with using "authentication bind-first" with user-defined attribute-maps:

**Then you're likely to see a failure in your authentication attempt. The  error message you will see is "Invalid credentials, Result code =49".  The logs will look something like the logs below:**

Which is the same error you are seeing. Go ahead and put back in your attribute mapping and test again.

If you remove the command "authentication bind-first" from the above configuration everything will work properly.

https://supportforums.cisco.com/docs/DOC-17780

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
ryan_david
Level 1
Level 1
In response to Tarik Admani

‎08-31-2012 12:02 AM

Hi Tarik,

That did it.

Thanks a lot!

Cheers,

Ryan

0 Helpful
Customers Also Viewed These Support Documents