Hi,

Thanks for the response and assistance ! following is the information required..

tunnel-group SSL-VPN-Users webvpn-attributes
 customization AWCC-Customization
SSL-VPN# show run tunnel-group ssl
tunnel-group ssl type remote-access
tunnel-group ssl general-attributes
 address-pool VPN-POOL
 authentication-server-group WebVPN-Users LOCAL
 authorization-server-group LOCAL
 default-group-policy ssl
tunnel-group ssl webvpn-attributes
 customization AWCC-Customization

=========================================

show run aaa-server

aaa-server WebVPN-Users protocol ldap
aaa-server WebVPN-Users (inside) host 172.30.10.27
 server-port 636
 ldap-base-dn dc=afghan-wireless, dc=com
 ldap-group-base-dn dc=afghan-wireless, dc=local
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn iss@afghan-wireless.com
 ldap-over-ssl enable
 server-type microsoft
aaa-server WebVPN-Users (inside) host 172.30.10.28
 ldap-base-dn dc=afghan-wireless, dc=com
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn iss@afghan-wireless.com
 server-type microsoft

=================================

Debug Information for LDAP Over SSL port 636:

[1189] Session Start
[1189] New request Session, context 0x714e10b8, reqType = Authentication
[1189] Fiber started
[1189] Creating LDAP context with uri=ldaps://172.30.10.27:636
[1189] Connect to LDAP server: ldaps://172.30.10.27:636, status = Failed
[1189] Unable to read rootDSE. Can't contact LDAP server.
[1189] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[1189] Session End

================================

Debug Information on port 389

[1199] Session Start
[1199] New request Session, context 0x714e10b8, reqType = Authentication
[1199] Fiber started
[1199] Creating LDAP context with uri=ldap://172.30.10.27:389
[1199] Connect to LDAP server: ldap://172.30.10.27:389, status = Successful
[1199] supportedLDAPVersion: value = 3
[1199] supportedLDAPVersion: value = 2
[1199] Binding as iss@afghan-wireless.com
[1199] Performing Simple authentication for iss@afghan-wireless.com to 172.30.10.27
[1199] LDAP Search:
        Base DN = [dc=afghan-wireless, dc=com]
        Filter  = [sAMAccountName=iss]
        Scope   = [SUBTREE]
[1199] User DN = [CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com]
[1199] Talking to Active Directory server 172.30.10.27
[1199] Reading password policy for iss, dn:CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199] Read bad password count 0
[1199] Binding as iss
[1199] Performing Simple authentication for iss to 172.30.10.27
[1199] Processing LDAP response for user iss
[1199] Message (iss):
[1199] Authentication successful for iss to 172.30.10.27
[1199] Retrieved User Attributes:
[1199]  objectClass: value = top
[1199]  objectClass: value = person
[1199]  objectClass: value = organizationalPerson
[1199]  objectClass: value = user
[1199]  cn: value = Information System Security
[1199]  sn: value = System
[1199]  title: value = Information System Security
[1199]  description: value = Information System Security
[1199]  physicalDeliveryOfficeName: value = Yakatoot
[1199]  telephoneNumber: value = +93700801080
[1199]  givenName: value = Information
[1199]  distinguishedName: value = CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199]  instanceType: value = 4
[1199]  whenCreated: value = 20140625033226.0Z
[1199]  whenChanged: value = 20160724032845.0Z
[1199]  displayName: value = Information System Security
[1199]  uSNCreated: value = 446433604
[1199]  memberOf: value = CN=WebVPN-Users,OU=Cyberroam-Authentication,OU=Groups,OU=IT-NIS,DC=afghan-wirele
[1199]  memberOf: value = CN=DNS-READ-ONLY,OU=Groups,OU=IT-SAT,DC=afghan-wireless,DC=com
[1199]  memberOf: value = CN=All_AWCC,OU=Groups,OU=All-AWCC,DC=afghan-wireless,DC=com
[1199]  uSNChanged: value = 598331353
[1199]  altRecipient: value = CN=Information System Security,OU=Groups,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199]  department: value = IT NIS
[1199]  company: value = Afghan Wireless Communication Company
[1199]  homeMTA: value = CN=Microsoft MTA,CN=MAILBOX-1,CN=Servers,CN=Exchange Administrative Group (FYDIB
[1199]  deliverAndRedirect: value = TRUE
[1199]  proxyAddresses: value = SMTP:ISS@afghan-wireless.com
[1199]  proxyAddresses: value = X400:C=us;A= ;P=First Organizati;O=Exchange;S=System;G=Information;
[1199]  homeMDB: value = CN=AWCCITMailbox,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT)
[1199]  mDBStorageQuota: value = 1843200
[1199]  mDBOverQuotaLimit: value = 1945600
[1199]  garbageCollPeriod: value = 1209600
[1199]  mDBUseDefaults: value = FALSE
[1199]  mailNickname: value = ISS
[1199]  protocolSettings: value = OWA..1
[1199]  protocolSettings: value = HTTP..1..1............
[1199]  protocolSettings: value = POP3..0....................
[1199]  protocolSettings: value = IMAP4..0....................
[1199]  protocolSettings: value = RemotePowerShell..1
[1199]  internetEncoding: value = 0
[1199]  name: value = Information System Security
[1199]  objectGUID: value = .V.O._.D....;..E
[1199]  userAccountControl: value = 66048
[1199]  badPwdCount: value = 0
[1199]  codePage: value = 0
[1199]  countryCode: value = 0
[1199]  badPasswordTime: value = 131134830012580164
[1199]  lastLogoff: value = 0
[1199]  lastLogon: value = 131138130260706842
[1199]  pwdLastSet: value = 131037934088721285
[1199]  primaryGroupID: value = 513
[1199]  objectSid: value = ............R!Fd..'..}(.A. .
[1199]  accountExpires: value = 9223372036854775807
[1199]  logonCount: value = 9873
[1199]  sAMAccountName: value = ISS
[1199]  sAMAccountType: value = 805306368
[1199]  legacyExchangeDN: value = /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Reci
[1199]  userPrincipalName: value = ISS@afghan-wireless.com
[1199]  lockoutTime: value = 0
[1199]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=afghan-wireless,DC=com
[1199]  dSCorePropagationData: value = 20160502113739.0Z
[1199]  dSCorePropagationData: value = 20160225150421.0Z
[1199]  dSCorePropagationData: value = 20160225144906.0Z
[1199]  dSCorePropagationData: value = 20140625035321.0Z
[1199]  dSCorePropagationData: value = 16010101181633.0Z
[1199]  lastLogonTimestamp: value = 131138045256736849
[1199]  msDS-SupportedEncryptionTypes: value = 0
[1199]  textEncodedORAddress: value = X400:C=us;A= ;P=First Organizati;O=Exchange;S=System;G=Information;
[1199]  mail: value = ISS@afghan-wireless.com
[1199]  manager: value = CN=Fahim Asey,OU=LocalUsers,OU=Disabled ACCOUNTS,DC=afghan-wireless,DC=com
[1199]  msExchHomeServerName: value = /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Conf
[1199]  msExchHideFromAddressLists: value = TRUE
[1199]  msExchMailboxSecurityDescriptor: value = ........ ...,...\.............................0.............................k...
[1199]  msExchUserAccountControl: value = 0
[1199]  mDBOverHardQuotaLimit: value = 2048000
[1199]  msExchMailboxGuid: value = .o.`...A...Z..e.
[1199]  msExchPoliciesIncluded: value = cd5e67a9-acb6-4801-abc6-4edefaa2a825
[1199]  msExchPoliciesIncluded: value = {26491cfc-9e50-4857-861b-0cb8df22b5d7}
[1199]  msExchTransportRecipientSettingsFlags: value = 3
[1199]  msExchModerationFlags: value = 6
[1199]  msExchRBACPolicyLink: value = CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=First Organization,CN=M
[1199]  msExchUserCulture: value = en-US
[1199]  msExchRecipientDisplayType: value = 1073741824
[1199]  msExchUMEnabledFlags2: value = -1
[1199]  msExchVersion: value = 44220983382016
[1199]  msExchUMDtmfMap: value = emailAddress:477
[1199]  msExchUMDtmfMap: value = lastNameFirstName:79783646367628466
[1199]  msExchUMDtmfMap: value = firstNameLastName:46367628466797836
[1199]  msExchProvisioningFlags: value = 0
[1199]  msExchMDBRulesQuota: value = 64
[1199]  msExchTextMessagingState: value = 302120705
[1199]  msExchTextMessagingState: value = 16842751
[1199]  msExchRecipientTypeDetails: value = 1
[1199]  msExchWhenMailboxCreated: value = 20160512031809.0Z
[1199] Fiber exit Tx=603 bytes Rx=7327 bytes, status=1
[1199] Session End

regards,

You only send one :) 

Send me the rest please. 

Any update please, we need to get this done !

Regards ;

Ghafar

I'm sorry but for some reason I was unable to see full outputs before. 

So mainly when LDAP over SSL used, then authentication failed and when it is disabled then authentication successes. 

What is your ASA version, we have some bugs filled for LDAP over SSL like:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv32615/?reffering_site=dumpcr

Our ASA version is 5520 series and possibly the software is below version 9.

Hi,

any update please !

Regards;

Hi Ghafar, 

Are you sure that you configured the server correctly. A certificate should be used on the server for SSL negotiation. 

Also, what is the TLS version used, is it TLS1.2 ? 

From ASA you can collect some SSL logs during testing: 

#logging class ssl mon deb

#terminal mon

Hi ;

The TLS version is 1.3 and I tried the command terminal mon but didn't receive any thing after trying to connect from the browser. I tried reading some documents and videos online but they are mostly using the client and they are not using the browser.

Sometimes when I test the LDAP configuration it shows successful but sometimes it responds with an error message.

Therefore, would you please give a reference to any website or document which has clearly mentioned the steps for web VPN users instead of client.

Regards ;

Hi Ghafar, 

ASA still did not support TLS 1.3, are you sure that server is using TLS1.3 ? 

Hi,

Thanks for the quick response and i did try reviewing the Certificate information once more... I noticed the TLS version is 1.0

Waiting for your kind reply soon !

Regards;

Also please keep in mind that TLS 1.2 is supported on ASAs staring version 9.3. 

See link: 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

Hi ;

Any update please because it is very urgent !

Regards;