still a no go. Different

jacenkoj33 · ‎02-04-2016

So I have a pair of ASA 5525 I'm trying to get LDAP authentication working mainly for the IT staff to login using VPN and not have to supply local account credentials to login into VPN then eventually get the RSA soft token to work with it. First off though I just cannot get the the ASA to successfully test my configuration. I've watched a dozen videos and read a half dozen Cisco documents and blogs on this subject but it seems I'm missing something. Included is my config and debug if anyone would care to help me troubleshoot this I'd be eternally grateful. I guess the IP is internal doesn't really matter if I block it out but I guess to keep the security audit team happy I'll not include it. Be assured its the same ip everywhere there's a 10.x.x.x.

GLSXXXX account is in the follow AD path gls.com/Service Accounts/IT/

The other thing I'm wondering about is the glsxxx account is only a member of the Domain Users group so if this account needs some level of admin could that be causing the fail?

aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (inside) host 10.x.x.x
ldap-base-dn dc=gls,dc=com
ldap-scope subtree
ldap-naming-attribute glsxxxx
ldap-login-password *****
ldap-login-dn cn=GLSXXXX,cn=IT,cn=Service Accounts,dc=gls,dc=local
server-type microsoft

debug ldap 255
test aaa-server authentication LDAPSERVERS host 10.x.x.x

[-2147483601] Session Start
[-2147483601] New request Session, context 0x00007fffd1e50550, reqType = Authentication
[-2147483601] Fiber started
[-2147483601] Creating LDAP context with uri=ldap://10.x.x.x:389
[-2147483601] Connect to LDAP server: ldap://10.x.x.x:389, status = Successful
[-2147483601] supportedLDAPVersion: value = 3
[-2147483601] supportedLDAPVersion: value = 2
[-2147483601] Binding as GLSLDAP
[-2147483601] Performing Simple authentication for GLSXXXX to 10.x.x.x
[-2147483601] Simple authentication for GLSXXXX returned code (49) Invalid credentials
[-2147483601] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483601] Fiber exit Tx=217 bytes Rx=645 bytes, status=-2
[-2147483601] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Thanks,

Jim

JP Miranda Z · ‎02-04-2016

Have you tried to use the default ldap-naming-attribute:

sAMAccountName

-JP-

jacenkoj33 · ‎02-05-2016

still a no go. Different debug this time though...

[-2147483599] Session Start
[-2147483599] New request Session, context 0x00007fffd1e50550, reqType = Authentication
[-2147483599] Fiber started
[-2147483599] Creating LDAP context with uri=ldap://10.x.x.x:389
[-2147483599] Connect to LDAP server: ldap://10.x.x.x:389, status = Successful
[-2147483599] defaultNamingContext: value = DC=gls,DC=com
[-2147483599] supportedLDAPVersion: value = 3
[-2147483599] supportedLDAPVersion: value = 2
[-2147483599] supportedSASLMechanisms: value = GSSAPI
[-2147483599] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483599] supportedSASLMechanisms: value = EXTERNAL
[-2147483599] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483599] Binding as GLSxxxx
[-2147483599] Performing Simple authentication for GLSxxxx to 10.x.x.x
[-2147483599] Simple authentication for GLSxxxx returned code (49) Invalid credentials
[-2147483599] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483599] Fiber exit Tx=217 bytes Rx=645 bytes, status=-2
[-2147483599] Session End

JP Miranda Z · ‎02-05-2016

Is the GLSxxxx and admin user on your AD?

If you are completely sure the dsquery is correct i will recommend you to get captures on the ASA and the server because this is simple or the ldap configuration is incorrect or the use and password is incorrect.

-JP-

jacenkoj33 · ‎02-05-2016

It doesn't have admin rights. Its only in the domain/users group but this account is working on our RSA Secure login for LDAP auth... What level does it need, domain admin?

JP Miranda Z · ‎02-07-2016

The user should have enough rights to perform the authentication check, if your server guy told you that this use is currently working in other devices this one should work, now you can try this:

1- get a new dsquery from the server and make sure the configuration if fine.

2- if everything is matching the dsquery from the server you can try adding "" to the login dn: ldap-login-dn "cn=GLSxxxx,cn=IT,cn=Service Accounts,dc=gls,dc=com"

3- get the logs from the server perspective to find out what exactly is not liking about the authentication.

4- you can also try to get the dsquery with an admin user and test.

Hope this helps!!

-JP-

jacenkoj33 · ‎02-09-2016

So I have had some success experimenting but not the success I was hoping for. I was able to bind using the domain admin account administrator using ldap-login-dn CN=administrator,CN=Builtin,DC=gls,DC=com. So now it opened new questions.

Does the DC think this is a local administrator account or the domain administrator account?

Why didn't accept my personal credentials that is a member of domain admins? Our RSA server is authenticating using the glsldap service account that is only a member of domain users nothing more.

Does the ASA require a domain adminstrator account to bind to the LDAP?

Something is still odd. It would seem using a domain admin account for ldap authentication might in itself be a security risk?

Also I was using Softerra LDAP administrator to vaildate the DN for all of the accounts I've tried. I have the correct DN values for all accounts I've tried.

aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (inside) host 10.x.x.x
ldap-base-dn dc=gls,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Builtin,DC=gls,DC=com
server-type microsoft

CO-MDF-FW01/pri/act(config-aaa-server-host)# test aaa-server authentication LD$
Username: jimxxxxxxxxxx
Password: ********
INFO: Attempting Authentication test to IP address <10.x.x.x> (timeout: 12 seconds)

[-2147483587] Session Start
[-2147483587] New request Session, context 0x00007fffd1e50550, reqType = Authentication
[-2147483587] Fiber started
[-2147483587] Creating LDAP context with uri=ldap://10.x.x.x:389
[-2147483587] Connect to LDAP server: ldap://10.x.X.x:389, status = Successful
[-2147483587] supportedLDAPVersion: value = 3
[-2147483587] supportedLDAPVersion: value = 2
[-2147483587] Binding as administrator
[-2147483587] Performing Simple authentication for administrator to 10.x.x.x
[-2147483587] LDAP Search:
Base DN = [dc=gls,dc=com]
Filter = [sAMAccountName=jimxxxxxxxxxx]
Scope = [SUBTREE]
[-2147483587] User DN = [CN=Jim,OU=IT Network Services,DC=gls,DC=com]
[-2147483587] Talking to Active Directory server 10.x.x.x
[-2147483587] Reading password policy for jimxxxxxxxxxx, dn:CN=Jim,OU=IT Network Services,DC=gls,DC=com
[-2147483587] Read bad password count 0
[-2147483587] Binding as jimxxxxxxxxxxxx
[-2147483587] Performing Simple authentication for jimj to 10.x.x.x
[-2147483587] Processing LDAP response for user jimxxxxxxxxxxxxx
[-2147483587] Message (jimxxxxxxxxxxx):
[-2147483587] Authentication successful for jimxxxxxxxxxxxxx to 10.x.x.x
[-2147483587] Retrieved User Attributes:

clipped....

JP Miranda Z · ‎02-09-2016

Does the DC think this is a local administrator account or the domain administrator account?

The DN does not needs to use an Admin user, just make sure is Memberof Domain Users.

Why didn't accept my personal credentials that is a member of domain admins?

The only way to know that will be getting the logs from the AD perspective since should work without any problem.

Something is still odd. It would seem using a domain admin account for ldap authentication might in itself be a security risk?

Could be a security risk, but again is not required in order to have this working.

With the admin user we can definitely see this works, now the rest of the work here will be find out what the server is showing when you try to authenticate with your user or you can also create a normal user for testing and use this one to get the dsquery and test.

This cisco document includes all the information about LDAP as a aaa-server:

Configuring LDAP Servers for AAA - Cisco

Hope this information helps!

-JP-

jacenkoj33 · ‎02-05-2016

not sure completely which admin user account?

So I login to the ASA using a local account with admin rights to the ASA this account is not on the AD.

The GLSxxxxxx account is a domain user account no admin rights. I discussed this with a senior admin and he stated we're using this account in other places for LDAP authentication that LDAP doesn't need an account with domain admin as it is only a read only account for LDAP queries not sure if ASA needs something different?

The account I'm using for the test aaa-server authentication LDAPSERVERS host 10.x.x.x is my own domain user account which is a member of domain admins. The passwords I've double checked...

Any more advice how to troubleshoot next?

jacenkoj33 · ‎02-05-2016

Config looks like this now...

aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (inside) host 10.x.x.x
ldap-base-dn dc=gls,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=GLSxxxx,cn=IT,cn=Service Accounts,dc=gls,dc=com
server-type microsoft

it@mississauga · ‎03-11-2019

Have you fixed this issue, if so would you please share the solution?

Thanks

Simple authentication for GLSXXXX returned code (49) Invalid credentials driving me crazy :(

Configuring LDAP Servers for AAA - Cisco