Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
3
Replies

Cisco ASA5510 VPN authentication with LDAP "Password change at VPN Login doesnt works"

matthias.normann_2
Level 1
Level 1

‎03-03-2013 11:06 PM

Hello community,

i have following problem. I configured on a Cisco ASA5510 VPN authentication with LDAP. It works fine but one thing doesnt works.

If i configure on my Active Directory the user for "User must change Password at next login" the message for password change is coming (look screenshot AnyConnect1), but if the user want to change his password, the password will not accepted by the system(look screenshot AnyConnect2).

In the Group Policies on my Active Directory i disabled all features(look screenshot Pic1)

I tried all combination for the password, but nothing will accepted.

On Asa, i configured LDAP over SSL and in the Tunnel Group i enabled the password management with "NOtify User 2 days prior to password expiration"

Can anyone help me?

Thanks

Matthias

Labels:
Preview file
65 KB
Preview file
56 KB
Preview file
52 KB
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-04-2013 02:25 AM

Matthias,

I would also have a look at what's going on on LDAP/AD side.

Attach:

debug aaa common 255

debug ldap 255

while you're performing this, let's see what's going on.

Or open up a TAC case if it's urgent.

M.

0 Helpful

matthias.normann_2
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-04-2013 06:50 AM

Hi,

thanks for the answer. I started the debug modes.

Here the output but i dont understand the message.

AAA API: In aaa_open

AAA session opened: handle = 311

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0xa93887b0) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LDAP_Srv)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 172.16.1.230

AAA FSM: In AAA_SendMsg

User: test100

Resp:

[556] Session Start

[556] New request Session, context 0xad506fe4, reqType = Authentication

[556] Fiber started

[556] Creating LDAP context with uri=ldaps://172.16.1.230:636

[556] Connect to LDAP server: ldaps://172.16.1.230:636, status = Successful

[556] supportedLDAPVersion: value = 3

[556] supportedLDAPVersion: value = 2

[556] Binding as VPN User

[556] Performing Simple authentication for VPN User to 172.16.1.230

[556] LDAP Search:

        Base DN = [DC=solutioncenter, DC=computacenter, DC=de]

        Filter  = [sAMAccountName=test100]

        Scope   = [SUBTREE]

[556] User DN = [CN=test100,OU=SC Mitarbeiter,OU=Benutzer,DC=solutioncenter,DC=computacenter,DC=de]

[556] Talking to Active Directory server 172.16.1.230

[556] Reading password policy for test100, dn:CN=test100,OU=SC Mitarbeiter,OU=Benutzer,DC=solutioncenter,DC=computacenter,DC=de

[556] Read bad password count 2

[556] Binding as test100

[556] Performing Simple authentication for test100 to 172.16.1.230

[556] Simple authentication for test100 returned code (49) Invalid credentials

[556] Message (test100): 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1

[556] Checking password policy

[556] New password is required for test100

callback_aaa_task: status = -1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 311, pAcb = 0xad8e47c0

[556] Fiber exit Tx=828 bytes Rx=3078 bytes, status=-1

[556] Session End

AAA task: aaa_process_msg(0xa93887b0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LDAP_Srv, author svr = , user pol = , tunn pol = 89.SolutionCenter-Admins

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

  1     LDAP password change allowed(20483)      4    1

  2     LDAP password minimum length(20484)      4    7

  3     LDAP password expired(20486)      4    1

  4     Password change server type(20487)      4    7

  5     Password change username(20488)      7    "test100"

  6     Password change password(20489)     18    (hidden)

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = REJECT

aaai_internal_cb: handle is 311, pAcb is 0xad8e47c0, pAcb->tq.tqh_first is 0x00000000

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0xa93887b0) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LDAP_Srv)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 172.16.1.230

AAA FSM: In AAA_SendMsg

User: test100

Resp:

[557] Session Start

[557] New request Session, context 0xad506fe4, reqType = Modify Password

[557] Fiber started

[557] Creating LDAP context with uri=ldaps://172.16.1.230:636

[557] Connect to LDAP server: ldaps://172.16.1.230:636, status = Successful

[557] supportedLDAPVersion: value = 3

[557] supportedLDAPVersion: value = 2

[557] Binding as VPN User

[557] Performing Simple authentication for VPN User to 172.16.1.230

[557] LDAP Search:

        Base DN = [DC=solutioncenter, DC=computacenter, DC=de]

        Filter  = [sAMAccountName=test100]

        Scope   = [SUBTREE]

[557] User DN = [CN=test100,OU=SC Mitarbeiter,OU=Benutzer,DC=solutioncenter,DC=computacenter,DC=de]

[557] Talking to Active Directory server 172.16.1.230

[557] Reading password policy for test100, dn:CN=test100,OU=SC Mitarbeiter,OU=Benutzer,DC=solutioncenter,DC=computacenter,DC=de

[557] Read bad password count 2

[557] Modify Password for test100 successfully converted password to unicode

callback_aaa_task: status = -1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 311, pAcb = 0xad8e47c0

[557] Fiber exit Tx=856 bytes Rx=3068 bytes, status=-1

[557] Session End

AAA task: aaa_process_msg(0xa93887b0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LDAP_Srv, author svr = , user pol = , tunn pol = 89.SolutionCenter-Admins

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

None

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = REJECT

aaai_internal_cb: handle is 311, pAcb is 0xad8e47c0, pAcb->tq.tqh_first is 0x00000000

AAA API: In aaa_close

AAA task: aaa_process_msg(0xa93887b0) received message type 3

In aaai_close_session (311)

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to matthias.normann_2

‎03-04-2013 07:04 AM

Matthias,

As far as I remember the flow looks correct, I don't have a reference on top to check it out ATM.

There is a reject from backend LDAP server once you try to submit the password. Are you sure the used you use to bind in LDAP can write to AD (for users logging in)?

M.

0 Helpful
Customers Also Viewed These Support Documents