Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6383
Views
0
Helpful
8
Replies

WebVPN on LDAP

Jean-Francois Gagnon
Level 1
Level 1

‎03-20-2012 12:14 PM

I have successfully configure a Server Group for LDAP authentication, tested and working.

When I change the WebVPN to authenticate to LDAP, it still tries to search in the Local Database.

Error: AAA user authentication rejected : reason = Invalid password : local database : user = testAD

Here's the config

aaa-server LDAP_SVR protocol ldap

aaa-server LDAP_SVR (Inside) host 192.168.1.1

server-port 389

ldap-base-dn dc=domainname, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password password

ldap-login-dn CN=admin,CN=Users,DC=domainname,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 3 regex "Intel Mac OS X"

svc enable

tunnel-group-preference group-url

group-policy RemotePolicy attributes

dns-server value 192.168.1.1 192.168.1.2

vpn-filter value NAT0

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Tunnel_Networks

default-domain value domainname.local

address-pools value SSLVPNIPPool

webvpn

  url-list none

  svc ask enable default webvpn

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPNIPPool

authentication-server-group LDAP_SVR

default-group-policy RemotePolicy

Thnaks for your help!

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-20-2012 12:31 PM

Hello Jean,

The configuration looks good, can you provide us a debug webvpn 255 when you try to anyconnect to the ASA.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jean-Francois Gagnon
Level 1
Level 1
In response to Julio Carvajal

‎03-20-2012 12:59 PM 

WARNING: CSD is disabled by AnyConnect Essentials license.
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2447]
WebVPN: calling AAA with ewsContext (-1351860128) and nh (-1351860616)!
webvpn_add_auth_handle: auth_handle = 1189
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5320]
WebVPN: AAA status = (REJECT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1611]
WebVPN: user: (testJFG) rejected.
webvpn_remove_auth_handle: auth_handle = 1189
webvpn_free_auth_struct: net_handle = AF6C3E78
webvpn_allocate_auth_struct: net_handle = AF6C3E78
webvpn_free_auth_struct: net_handle = AF6C3E78
WARNING: CSD is disabled by AnyConnect Essentials license.
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Jean-Francois Gagnon

‎03-20-2012 04:15 PM

Hello Jean,

As I can see on the debug,

You are getting mapped to the default webvpn group instead of the RemotePolicy group.

webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup

Lets do the following to make sure we are hitting the right tunnel group:

group-policy RemotePolicy attributes

webvpn

   no svc ask enable default webvpn

    exit

exit

webvpn

tunnel-group-list enable

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSLVPNIPPool

authentication-server-group LDAP_SVR

default-group-policy RemotePolicy

Tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN

Then try to connect one more time, you should be promt to select the tunnel group.

With this we will make sure we select the right tunnel group.

If this does not work, please send us the debug with this new configuration in place.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jean-Francois Gagnon
Level 1
Level 1
In response to Julio Carvajal

‎03-21-2012 05:54 AM

I did kind of that, I changed all my GRoupPolicies to LDAP, and I got a new error.

So I got another question now:

- Now that LDAP seems to work, I get error "Clientless (browser) SSL VPN access is not allowed"

I have created a AD group "AccessVPN" and add my test user in it, but it does'nt seem to work.

What Am I missing?

aaa-server LDAP_SVR protocol ldap

aaa-server LDAP_SVR (Inside) host 192.168.1.1

server-port 389

ldap-base-dn dc=domainname, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password password

ldap-login-dn CN=admin,CN=Users,DC=domainname,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf CN=AccessVPN,OU=Groupes,OU=MyOU,DC=DomainName,DC=Local PolicyGroup1

0 Helpful

Jean-Francois Gagnon
Level 1
Level 1
In response to Jean-Francois Gagnon

‎03-22-2012 11:29 AM

Any ideas?

0 Helpful

pcadmin
Level 1
Level 1
In response to Jean-Francois Gagnon

‎06-04-2012 05:22 AM

Late answer, but it’s because Anyconnect essentials is enabled. I guess debug message: “WARNING: CSD is disabled by AnyConnect Essentials license.” tries to inform this.

ASA cli:

- conf t

- webvpn

- no anyconnect-essentials

or ASDM:

- Configuration

- Remote Access VPN

- Network (client) Access

- Advanced

- Anyconnect Essentials

- Take away Enable anyconnect essentials.

Note that this will effect your licenses and probably handful of users can connect after this because essentials license is not valid after that.

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Jean-Francois Gagnon

‎06-04-2012 05:47 AM

So you map your AD group VPNaccess to a group-policy PolicyGroup1.

Do you have a group-policy by that name? Does it have webvpn in the allowed protocols?

If all looks correct, get

Debug ldap 255

Debug aaa authentication

Debug aaa common

Hth

Herbert

Sent from Cisco Technical Support iPad App

0 Helpful

EvaldasOu
Level 4
Level 4
In response to Julio Carvajal

‎08-06-2014 01:59 AM

Hi Julio,

By following this post I fixed the problem, - by using drop down list :

webvpn

tunnel-group-list enable

I'm able to login... but is there a way to change this default setting, without showing a group-list for the user?.

Without "tunnel-group-list enable" my debugs shows the same:

webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup

 

 

0 Helpful
Customers Also Viewed These Support Documents