Vpn authentication by LDAP

alessio bufalini · ‎01-05-2011

Hello, I setup a vpn with vpn client on a pix515, release 8.0.4. I want to authenticate users to a Microsoft LDAP. I have done this configuration:

ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN = Users, dc = labxen, dc = Sun xenesys_vpn_clients

aaa-server LDAP (inside) host 10.69.1.42
server-port 389
ldap-base-dn dc = Users, DC = labxen, DC = Sun
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn = administrator, cn = users, dn = labxen, dc = Sun
server-type microsoft
ldap-attribute-map LDAP-MAP

xenesys_vpn_clients internal group-policy
group-policy attributes xenesys_vpn_clients
vpn-tunnel-protocol IPSec

Xenesys type tunnel-group remote-access
Xenesys tunnel-group general-attributes
address-pool VpnClient_Pool
LDAP authentication-server-group LOCAL
Xenesys tunnel-group ipsec-attributes
pre-shared-key *

when testing the ldap I get this error:
LDAP authentication test aaa-server host 10.69.1.42 username xxxx password yyyy
INFO: Attempting Authentication test to IP address <10.69.1.42> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server Has Been removed

have had these problems with this configuration?

Regards

Alessio

Jennifer Halim · ‎01-05-2011

Please kindly run "debug ldap 255" and try to test the authentication, and debug will tell you where it's failing at.

Is this the correct base-dn configuration: ldap-base-dn dc = Users, DC = labxen, DC = Sun

I would suggest that you don't have any spaces in between all the ldap base-dn path.

Same goes for the following:

ldap-login-dn cn = administrator, cn = users, dn = labxen, dc = Sun

Please remove all spaces.

I would also check the upper/lower case as it can be a problem.

You can login to a server using the administrator username, and once log in, open CMD prompt, and get the output of "gpresult" command. From the output, it will give you the full path for administrator username. You should copy and paste the full path to the ASA configuration.

Here is a sample configuration on the LDAP authentication to Microsoft AD (it also has the debug output at the bottom of the document):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Hope that helps.

alessio bufalini · ‎01-05-2011

Hi, i run "debug ldap 255"and i tri to test:

[33486] Session Start
[33486] New request Session, context 0x30cd958, reqType = 1
[33486] Fiber started
[33486] Creating LDAP context with uri=ldap://10.69.1.42:389
[33486] Connect to LDAP server: ldap://10.69.1.42:389, status = Failed
[33486] While getting rootDSE, LDAP server 10.69.1.42 returned code (-1) Can't contact LDAP server
[33486] This LDAP server does not support V3 protocol.
[33486] Binding as administrator
[33486] Performing Simple authentication for administrator to 10.69.1.42
[33486] Connect to LDAP server: ldap://10.69.1.42:389, status = Failed
[33486] Simple authentication for administrator returned code (-1) Can't contact LDAP server
[33486] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[33486] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[33486] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Now i receive this error: This LDAP server does not support V3 protocol.

My ldap server is Windowss2008, what is V3 protocol?

Jennifer Halim · ‎01-05-2011

Can you please check if your Windows 2008 AD is configured to use LDAP (plain/clear text) or LDAPS (SSL encrypted LDAP).

If it's using LDAPS, then you would need to "enable LDAP over SSL".