Thanks Rahul,

I will have a read through the document.

Hi,

I have created the mapping as per another document which seemed fairly straight forward.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

I can see in the debugging that the Group Policy is being referenced when I authenticate with the anyconnect client against AD and authentication seems successful but the anyconnect client just keeps asking me for the password again and this just keeps happening. So I guess I am missing a final peice of the the puzzle.

Debug below:

debug ldap  enabled at level 255
HQ-FW01#
HQ-FW01#
HQ-FW01#
HQ-FW01#
HQ-FW01#
[78] Session Start
[78] New request Session, context 0x00007fac6da0c498, reqType = Authentication
[78] Fiber started
[78] Creating LDAP context with uri=ldap://10.10.2.10:389
[78] Connect to LDAP server: ldap://10.10.2.10:389, status = Successful
[78] supportedLDAPVersion: value = 3
[78] supportedLDAPVersion: value = 2
[78] Binding as administrator
[78] Performing Simple authentication for administrator to 10.10.2.10
[78] LDAP Search:
        Base DN = [DC=secure,DC=local]
        Filter  = [sAMAccountName=dev2]
        Scope   = [SUBTREE]
[78] User DN = [CN=dev2,CN=Users,DC=secure,DC=local]
[78] Talking to Active Directory server 10.10.2.10
[78] Reading password policy for dev2, dn:CN=dev2,CN=Users,DC=secure,DC=local
[78] Read bad password count 0
[78] Binding as dev2
[78] Performing Simple authentication for dev2 to 10.10.2.10
[78] Processing LDAP response for user dev2
[78] Message (dev2):
[78] Authentication successful for dev2 to 10.10.2.10
[78] Retrieved User Attributes:
[78]    objectClass: value = top
[78]    objectClass: value = person
[78]    objectClass: value = organizationalPerson
[78]    objectClass: value = user
[78]    cn: value = dev2
[78]    givenName: value = dev2
[78]    distinguishedName: value = CN=dev2,CN=Users,DC=secure,DC=local
[78]    instanceType: value = 4
[78]    whenCreated: value = 20170404130613.0Z
[78]    whenChanged: value = 20170404130613.0Z
[78]    displayName: value = dev2
[78]    uSNCreated: value = 20524
[78]    memberOf: value = CN=DEV,CN=Users,DC=secure,DC=local
[78]            mapped to IETF-Radius-Class: value = FC_ANYCONNECT_DEV
[78]            mapped to LDAP-Class: value = FC_ANYCONNECT_DEV
[78]    uSNChanged: value = 20530
[78]    name: value = dev2
[78]    objectGUID: value = ..9...,L........
[78]    userAccountControl: value = 66048
[78]    badPwdCount: value = 0
[78]    codePage: value = 0
[78]    countryCode: value = 0
[78]    badPasswordTime: value = 0
[78]    lastLogoff: value = 0
[78]    lastLogon: value = 0
[78]    pwdLastSet: value = 131357847737535060
[78]    primaryGroupID: value = 513
[78]    objectSid: value = ............r..`...j.H..Y...
[78]    accountExpires: value = 9223372036854775807
[78]    logonCount: value = 0
[78]    sAMAccountName: value = dev2
[78]    sAMAccountType: value = 805306368
[78]    userPrincipalName: value = dev2@secure.local
[78]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=secure,D                                                                                                             C=local
[78]    dSCorePropagationData: value = 20170404130613.0Z
[78]    dSCorePropagationData: value = 16010101000000.0Z
[78] Fiber exit Tx=530 bytes Rx=2407 bytes, status=1
[78] Session End

Any help would be great.

thanks

Maybe it is failing at some other point. Can you check the syslogs on the ASA to see if something else shows up? Also, run the following debugs when testing a connection:

debug aaa authentication

debug deb aggregate-auth xml 255

Thanks Rahul,

This is a lab scenario so that we can then roll it out to a client.

I will upload the debugging and the syslog and also a show run.

Any help would be fantastic.

Thanks

Nick