Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
2
Replies

Problem with using LDAP to authenticate SSL client vpn

yanqing.zhu
Level 1
Level 1

‎03-06-2012 01:54 AM

Dear all,

         I met a problem with the SSL client VPN. When I use Local as the authentication server, I can access the url://mycompanyweb.com/vpn and download "anyconnect vpn client" software. But once I changed to use LDAP to be the authentication server, I can only access portal which the same url,

here's the configuration of SSL VPN, could someone help? Thank you very much!

:
ASA Version 8.2(3)
!
hostname testfw01
domain-name cisco.com
names
dns-guard
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x


interface Ethernet0/1
description LAN
nameif inside
security-level 100
ip address 10.10.0.254 255.255.0.0
!
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup Production
dns domain-lookup management
dns server-group DefaultDNS
domain-name cisco.com
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
ip local pool VPN_pool 10.10.20.1-10.10.20.2 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Production) 0 access-list Production_nat0_outbound
nat (Production) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Production_access_in in interface Production
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.10.0.0 255.255.0.0 10.10.0.254

ldap attribute-map sic-vpn
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=vpntest,OU=Security Groups VPN Access,DC=test,DC=local" RemoteAccess_GRP
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_ZJ_GRP protocol ldap
aaa-server LDAP_ZJ_GRP (inside) host 10.10.1.1

server-port 389
ldap-base-dn DC=test,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=testuser,cn=Users,DC=test,DC=local
server-type microsoft
ldap-attribute-map test-vpn
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside

crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair sicsslvpn
crl configure
crypto ca certificate chain localtrust
certificate 7978e24e
    308201ef 30820158 a0030201 02020479 78e24e30 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d
    301e170d 31323033 30313032 32323034 5a170d32 32303232 37303232 3230345a
    303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e8 b7d6c6a3
    427d52f4 0fa26b21 d62ce6e9 f26adf9f 7fb482cb 5f039920 97ee5399 d7ac32a5
    13a47b3d 59ed3ee4 08edb6cd b9bdf28f dfcc0d1a 3ad75560 e8c29911 68a4cdb5
    40ade6e1 ff838229 316086b9 f07d2d82 dbd6ec20 a75617ed 85ca6fe7 5bea6fc9
    e822df10 bf6410a2 0429414f 7bd576b0 d0d57f4c fa98509a a0361502 03010001
    300d0609 2a864886 f70d0101 05050003 8181008c d0ae8301 6db0a978 d7b149c7
    a3bbbd19 929bea56 ab6a08da 9d4afb17 2e17b704 e279a037 9787bcf6 99331761
    ff971579 dd9ea547 146b4a1f a7522cdf 55cedc15 38bbcd59 092690d5 0ca9bbcd
    a82b1463 f436c7b4 241cde72 97121105 ccb89119 dac0df2f 17e89d7d 1d8a03bd
    537d7e42 60288d89 a17f953b eea58171 94fff0
  quit

ssl encryption aes128-sha1 3des-sha1 rc4-sha1 rc4-md5 des-sha1 null-sha1 aes256-sha1
ssl trust-point localtrust outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy sslvpn internal
group-policy sslvpn attributes
dns-server value 10.10.1.1

vpn-tunnel-protocol svc
address-pools value VPN_pool
webvpn
  port-forward disable
  svc keep-installer installed
  activex-relay enable
group-policy NoAccess internal
group-policy NoAccess attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec l2tp-ipsec
address-pools none
ipv6-address-pools none
group-policy RemoteAccess_GRP internal
group-policy RemoteAccess_GRP attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
address-pools value VPN_pool
username test password xxxxxx encrypted privilege 15
username test attributes
webvpn
  svc ask enable default svc timeout 120

tunnel-group testsslvpn type remote-access
tunnel-group testsslvpn general-attributes
address-pool (inside) VPN_pool
address-pool VPN_pool
authentication-server-group LDAP_ZJ_GRP LOCAL
authentication-server-group (inside) LDAP_ZJ_GRP LOCAL
authorization-server-group LDAP_ZJ_GRP
authorization-server-group (inside) LDAP_ZJ_GRP
default-group-policy sslvpn
authorization-required
tunnel-group sicsslvpn webvpn-attributes
group-alias VPN enable
group-url https://x.x.x.x/VPN enable

Labels:
0 Helpful
2 Replies 2

yanqing.zhu
Level 1
Level 1

‎03-07-2012 06:59 PM

The problem is solved, thank you

0 Helpful

eroche
Level 1
Level 1
In response to yanqing.zhu

‎03-12-2012 11:54 AM

What was the fix.

. Had same sort of issue over weekend.

Ed

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents