cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
0
Helpful
13
Replies

LDAP Configuration for SSL VPN (Web VPN Users) No client...

ghafar.rasoli
Level 1
Level 1

Hi ;

we have a dedicated URL so some of our users from branch offices can visit the URL and login to that then they will be able to connect to their specific groups of servers, All these communication are encrypted by SSL Certificate. Ex. https://abc.xyz.comm

Now the issue is we have recently planned to configure LDAP so users trying to connect through the browser (Web VPN no client ) should be authenticated through LDAP server (Microsoft). While configuring through port 389 the test becomes successful from ASDM but when the user is trying to connect with the same username on the web it is getting failed.

After debuging, following error message appears in CLI:

SSL-VPN# webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4

I would appreciate your kind information whether it is capable to configure LDAP for Web Users without any client software or no, or how to get the issue solved...

Regards;

Ghafar

13 Replies 13

Dina Odeh
Level 1
Level 1

Hi Ghafar, 

Yes of course we can have LDAP authentication for our webvpn users. Could you send me the following: 

"show run tunnel-group <TG-name>" 

"show run aaa-server <server_name>" 

Run please "debug ldap 255" and test VPN then send us the debugs please 

Hi,

Thanks for the response and assistance ! following is the information required..

tunnel-group SSL-VPN-Users webvpn-attributes
 customization AWCC-Customization
SSL-VPN# show run tunnel-group ssl
tunnel-group ssl type remote-access
tunnel-group ssl general-attributes
 address-pool VPN-POOL
 authentication-server-group WebVPN-Users LOCAL
 authorization-server-group LOCAL
 default-group-policy ssl
tunnel-group ssl webvpn-attributes
 customization AWCC-Customization

=========================================

show run aaa-server

aaa-server WebVPN-Users protocol ldap
aaa-server WebVPN-Users (inside) host 172.30.10.27
 server-port 636
 ldap-base-dn dc=afghan-wireless, dc=com
 ldap-group-base-dn dc=afghan-wireless, dc=local
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn iss@afghan-wireless.com
 ldap-over-ssl enable
 server-type microsoft
aaa-server WebVPN-Users (inside) host 172.30.10.28
 ldap-base-dn dc=afghan-wireless, dc=com
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn iss@afghan-wireless.com
 server-type microsoft

=================================

Debug Information for LDAP Over SSL port 636:

[1189] Session Start
[1189] New request Session, context 0x714e10b8, reqType = Authentication
[1189] Fiber started
[1189] Creating LDAP context with uri=ldaps://172.30.10.27:636
[1189] Connect to LDAP server: ldaps://172.30.10.27:636, status = Failed
[1189] Unable to read rootDSE. Can't contact LDAP server.
[1189] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[1189] Session End

================================

Debug Information on port 389

[1199] Session Start
[1199] New request Session, context 0x714e10b8, reqType = Authentication
[1199] Fiber started
[1199] Creating LDAP context with uri=ldap://172.30.10.27:389
[1199] Connect to LDAP server: ldap://172.30.10.27:389, status = Successful
[1199] supportedLDAPVersion: value = 3
[1199] supportedLDAPVersion: value = 2
[1199] Binding as iss@afghan-wireless.com
[1199] Performing Simple authentication for iss@afghan-wireless.com to 172.30.10.27
[1199] LDAP Search:
        Base DN = [dc=afghan-wireless, dc=com]
        Filter  = [sAMAccountName=iss]
        Scope   = [SUBTREE]
[1199] User DN = [CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com]
[1199] Talking to Active Directory server 172.30.10.27
[1199] Reading password policy for iss, dn:CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199] Read bad password count 0
[1199] Binding as iss
[1199] Performing Simple authentication for iss to 172.30.10.27
[1199] Processing LDAP response for user iss
[1199] Message (iss):
[1199] Authentication successful for iss to 172.30.10.27
[1199] Retrieved User Attributes:
[1199]  objectClass: value = top
[1199]  objectClass: value = person
[1199]  objectClass: value = organizationalPerson
[1199]  objectClass: value = user
[1199]  cn: value = Information System Security
[1199]  sn: value = System
[1199]  title: value = Information System Security
[1199]  description: value = Information System Security
[1199]  physicalDeliveryOfficeName: value = Yakatoot
[1199]  telephoneNumber: value = +93700801080
[1199]  givenName: value = Information
[1199]  distinguishedName: value = CN=Information System Security,OU=Policy_NIS,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199]  instanceType: value = 4
[1199]  whenCreated: value = 20140625033226.0Z
[1199]  whenChanged: value = 20160724032845.0Z
[1199]  displayName: value = Information System Security
[1199]  uSNCreated: value = 446433604
[1199]  memberOf: value = CN=WebVPN-Users,OU=Cyberroam-Authentication,OU=Groups,OU=IT-NIS,DC=afghan-wirele
[1199]  memberOf: value = CN=DNS-READ-ONLY,OU=Groups,OU=IT-SAT,DC=afghan-wireless,DC=com
[1199]  memberOf: value = CN=All_AWCC,OU=Groups,OU=All-AWCC,DC=afghan-wireless,DC=com
[1199]  uSNChanged: value = 598331353
[1199]  altRecipient: value = CN=Information System Security,OU=Groups,OU=IT-NIS,DC=afghan-wireless,DC=com
[1199]  department: value = IT NIS
[1199]  company: value = Afghan Wireless Communication Company
[1199]  homeMTA: value = CN=Microsoft MTA,CN=MAILBOX-1,CN=Servers,CN=Exchange Administrative Group (FYDIB
[1199]  deliverAndRedirect: value = TRUE
[1199]  proxyAddresses: value = SMTP:ISS@afghan-wireless.com
[1199]  proxyAddresses: value = X400:C=us;A= ;P=First Organizati;O=Exchange;S=System;G=Information;
[1199]  homeMDB: value = CN=AWCCITMailbox,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT)
[1199]  mDBStorageQuota: value = 1843200
[1199]  mDBOverQuotaLimit: value = 1945600
[1199]  garbageCollPeriod: value = 1209600
[1199]  mDBUseDefaults: value = FALSE
[1199]  mailNickname: value = ISS
[1199]  protocolSettings: value = OWA..1
[1199]  protocolSettings: value = HTTP..1..1............
[1199]  protocolSettings: value = POP3..0....................
[1199]  protocolSettings: value = IMAP4..0....................
[1199]  protocolSettings: value = RemotePowerShell..1
[1199]  internetEncoding: value = 0
[1199]  name: value = Information System Security
[1199]  objectGUID: value = .V.O._.D....;..E
[1199]  userAccountControl: value = 66048
[1199]  badPwdCount: value = 0
[1199]  codePage: value = 0
[1199]  countryCode: value = 0
[1199]  badPasswordTime: value = 131134830012580164
[1199]  lastLogoff: value = 0
[1199]  lastLogon: value = 131138130260706842
[1199]  pwdLastSet: value = 131037934088721285
[1199]  primaryGroupID: value = 513
[1199]  objectSid: value = ............R!Fd..'..}(.A. .
[1199]  accountExpires: value = 9223372036854775807
[1199]  logonCount: value = 9873
[1199]  sAMAccountName: value = ISS
[1199]  sAMAccountType: value = 805306368
[1199]  legacyExchangeDN: value = /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Reci
[1199]  userPrincipalName: value = ISS@afghan-wireless.com
[1199]  lockoutTime: value = 0
[1199]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=afghan-wireless,DC=com
[1199]  dSCorePropagationData: value = 20160502113739.0Z
[1199]  dSCorePropagationData: value = 20160225150421.0Z
[1199]  dSCorePropagationData: value = 20160225144906.0Z
[1199]  dSCorePropagationData: value = 20140625035321.0Z
[1199]  dSCorePropagationData: value = 16010101181633.0Z
[1199]  lastLogonTimestamp: value = 131138045256736849
[1199]  msDS-SupportedEncryptionTypes: value = 0
[1199]  textEncodedORAddress: value = X400:C=us;A= ;P=First Organizati;O=Exchange;S=System;G=Information;
[1199]  mail: value = ISS@afghan-wireless.com
[1199]  manager: value = CN=Fahim Asey,OU=LocalUsers,OU=Disabled ACCOUNTS,DC=afghan-wireless,DC=com
[1199]  msExchHomeServerName: value = /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Conf
[1199]  msExchHideFromAddressLists: value = TRUE
[1199]  msExchMailboxSecurityDescriptor: value = ........ ...,...\.............................0.............................k...
[1199]  msExchUserAccountControl: value = 0
[1199]  mDBOverHardQuotaLimit: value = 2048000
[1199]  msExchMailboxGuid: value = .o.`...A...Z..e.
[1199]  msExchPoliciesIncluded: value = cd5e67a9-acb6-4801-abc6-4edefaa2a825
[1199]  msExchPoliciesIncluded: value = {26491cfc-9e50-4857-861b-0cb8df22b5d7}
[1199]  msExchTransportRecipientSettingsFlags: value = 3
[1199]  msExchModerationFlags: value = 6
[1199]  msExchRBACPolicyLink: value = CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=First Organization,CN=M
[1199]  msExchUserCulture: value = en-US
[1199]  msExchRecipientDisplayType: value = 1073741824
[1199]  msExchUMEnabledFlags2: value = -1
[1199]  msExchVersion: value = 44220983382016
[1199]  msExchUMDtmfMap: value = emailAddress:477
[1199]  msExchUMDtmfMap: value = lastNameFirstName:79783646367628466
[1199]  msExchUMDtmfMap: value = firstNameLastName:46367628466797836
[1199]  msExchProvisioningFlags: value = 0
[1199]  msExchMDBRulesQuota: value = 64
[1199]  msExchTextMessagingState: value = 302120705
[1199]  msExchTextMessagingState: value = 16842751
[1199]  msExchRecipientTypeDetails: value = 1
[1199]  msExchWhenMailboxCreated: value = 20160512031809.0Z
[1199] Fiber exit Tx=603 bytes Rx=7327 bytes, status=1
[1199] Session End

regards,

You only send one :) 

Send me the rest please. 

Any update please, we need to get this done !

Regards ;

Ghafar

I'm sorry but for some reason I was unable to see full outputs before. 

So mainly when LDAP over SSL used, then authentication failed and when it is disabled then authentication successes. 

What is your ASA version, we have some bugs filled for LDAP over SSL like:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv32615/?reffering_site=dumpcr

Our ASA version is 5520 series and possibly the software is below version 9.

Hi,

any update please !

Regards;

Hi Ghafar, 

Are you sure that you configured the server correctly. A certificate should be used on the server for SSL negotiation. 

Also, what is the TLS version used, is it TLS1.2 ? 

From ASA you can collect some SSL logs during testing: 

#logging class ssl mon deb

#terminal mon

Hi ;

The TLS version is 1.3 and I tried the command terminal mon but didn't receive any thing after trying to connect from the browser. I tried reading some documents and videos online but they are mostly using the client and they are not using the browser.

Sometimes when I test the LDAP configuration it shows successful but sometimes it responds with an error message.


Therefore, would you please give a reference to any website or document which has clearly mentioned the steps for web VPN users instead of client.

Regards ;

Hi Ghafar, 

ASA still did not support TLS 1.3, are you sure that server is using TLS1.3 ? 

Hi,

Thanks for the quick response and i did try reviewing the Certificate information once more... I noticed the TLS version is 1.0

Waiting for your kind reply soon !

Regards;

Also please keep in mind that TLS 1.2 is supported on ASAs staring version 9.3. 

See link: 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

Hi ;

Any update please because it is very urgent !

Regards;