networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 
  Print view Previous topic | Next topic 
Author Message
ciscotree
PostPosted: Thu Feb 16, 2012 10:46 am 
Offline
New Member
New Member

Joined: Wed Feb 08, 2012 11:07 am
Posts: 10
Certs: CCNA, CCNAV,
I am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.

Anyone have any ideas?

User 'test1' should be able to authenticate based on group membership.
User 'test2' shouldn't be able to.

I already removed the attribute-map to see if that was the problem but I am still failing authentication.

Code:
ldap attribute-map CTVPNUSERS
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPNUSERS,CN=Users,DC=DOMAIN,DC=local CTVPN
aaa-server CTDC protocol ldap
aaa-server CTDC (inside) host 10.10.130.5
 ldap-base-dn DC=DOMAIN,DC=local
 ldap-group-base-dn DC=DOMAIN,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=VPNADMIN,OU=Remote Users,DC=DOMAIN,DC=local
 server-type microsoft
 ldap-attribute-map CTVPNUSERS

group-policy CTVPN internal
group-policy CTVPN attributes
 dns-server value 10.10.130.5 10.10.132.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-CROSSTIMBERS-splitTunnel
 default-domain value DOMAIN.local
tunnel-group CTVPN type remote-access
tunnel-group CTVPN general-attributes
 address-pool CTVPN
 authentication-server-group CTDC
 default-group-policy NoVPN
tunnel-group CTVPN ipsec-attributes
 pre-shared-key *****



[19214] Session Start
[19214] New request Session, context 0xac639228, reqType = Authentication
[19214] Fiber started
[19214] Creating LDAP context with uri=ldap://10.10.130.5:389
[19214] Connect to LDAP server: ldap://10.10.130.5:389, status = Successful
[19214] supportedLDAPVersion: value = 3
[19214] supportedLDAPVersion: value = 2
[19214] Binding as VPNADMIN
[19214] Performing Simple authentication for VPNADMIN to 10.10.130.5
[19214] LDAP Search:
        Base DN = [DC=DOMAIN,DC=local]
        Filter  = [sAMAccountName=test2]
        Scope   = [SUBTREE]
[19214] User DN = [CN=test2,OU=Remote users,DC=DOMAIN,DC=local]
[19214] Talking to Active Directory server 10.10.130.5
[19214] Reading password policy for test2, dn:CN=test2,OU=Remote users,DC=DOMAIN,DC=local
[19214] Read bad password count 0
[19214] Binding as test2
[19214] Performing Simple authentication for test2 to 10.10.130.5
[19214] Processing LDAP response for user test2
[19214] Message (test2):
[19214] Authentication successful for test2 to 10.10.130.5
[19214] Retrieved User Attributes:
[19214]         objectClass: value = top
[19214]         objectClass: value = person
[19214]         objectClass: value = organizationalPerson
[19214]         objectClass: value = user
[19214]         cn: value = test2
[19214]         givenName: value = test2
[19214]         distinguishedName: value = CN=test2,OU=Remote users,DC=DOMAIN,DC=local
[19214]         instanceType: value = 4
[19214]         whenCreated: value = 20120215212221.0Z
[19214]         whenChanged: value = 20120215212221.0Z
[19214]         displayName: value = test2
[19214]         uSNCreated: value = 2039637
[19214]         uSNChanged: value = 2039642
[19214]         name: value = test2
[19214]         objectGUID: value = c{.@...E.h......
[19214]         userAccountControl: value = 66048
[19214]         badPwdCount: value = 0
[19214]         codePage: value = 0
[19214]         countryCode: value = 0
[19214]         badPasswordTime: value = 0
[19214]         lastLogoff: value = 0
[19214]         lastLogon: value = 0
[19214]         pwdLastSet: value = 129738145415596273
[19214]         primaryGroupID: value = 513
[19214]         objectSid: value = ............'!.|6..e.*......
[19214]         accountExpires: value = 9223372036854775807
[19214]         logonCount: value = 0
[19214]         sAMAccountName: value = test2
[19214]         sAMAccountType: value = 805306368
[19214]         userPrincipalName: value = test2@DOMAIN.local
[19214]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
[19214] Fiber exit Tx=544 bytes Rx=2261 bytes, status=1
[19214] Session End










[19216] Session Start
[19216] New request Session, context 0xac639228, reqType = Authentication
[19216] Fiber started
[19216] Creating LDAP context with uri=ldap://10.10.130.5:389
[19216] Connect to LDAP server: ldap://10.10.130.5:389, status = Successful
[19216] supportedLDAPVersion: value = 3
[19216] supportedLDAPVersion: value = 2
[19216] Binding as VPNADMIN
[19216] Performing Simple authentication for VPNADMIN to 10.10.130.5
[19216] LDAP Search:
        Base DN = [DC=DOMAIN,DC=local]
        Filter  = [sAMAccountName=test1]
        Scope   = [SUBTREE]
[19216] User DN = [CN=test1,OU=Remote users,DC=DOMAIN,DC=local]
[19216] Talking to Active Directory server 10.10.130.5
[19216] Reading password policy for test1, dn:CN=test1,OU=Remote users,DC=DOMAIN,DC=local
[19216] Read bad password count 0
[19216] Binding as test1
[19216] Performing Simple authentication for test1 to 10.10.130.5
[19216] Processing LDAP response for user test1
[19216] Message (test1):
[19216] Authentication successful for test1 to 10.10.130.5
[19216] Retrieved User Attributes:
[19216]         objectClass: value = top
[19216]         objectClass: value = person
[19216]         objectClass: value = organizationalPerson
[19216]         objectClass: value = user
[19216]         cn: value = test1
[19216]         givenName: value = test1
[19216]         distinguishedName: value = CN=test1,OU=Remote users,DC=DOMAIN,DC=local
[19216]         instanceType: value = 4
[19216]         whenCreated: value = 20120215212144.0Z
[19216]         whenChanged: value = 20120215212233.0Z
[19216]         displayName: value = test1
[19216]         uSNCreated: value = 2039625
[19216]         memberOf: value = CN=VPNUSERS,CN=Users,DC=DOMAIN,DC=local
[19216]                 mapped to IETF-Radius-Class: value = CTVPN
[19216]                 mapped to LDAP-Class: value = CTVPN
[19216]         uSNChanged: value = 2039647
[19216]         name: value = test1
[19216]         objectGUID: value = <......I.yv.&...
[19216]         userAccountControl: value = 66048
[19216]         badPwdCount: value = 0
[19216]         codePage: value = 0
[19216]         countryCode: value = 0
[19216]         badPasswordTime: value = 129738266759183593
[19216]         lastLogoff: value = 0
[19216]         lastLogon: value = 129738266902931753
[19216]         pwdLastSet: value = 129738145534344753
[19216]         primaryGroupID: value = 513
[19216]         objectSid: value = ............'!.|6..e.*..~...
[19216]         accountExpires: value = 9223372036854775807
[19216]         logonCount: value = 0
[19216]         sAMAccountName: value = test1
[19216]         sAMAccountType: value = 805306368
[19216]         userPrincipalName: value = test1@DOMAIN.local
[19216]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
[19216] Fiber exit Tx=544 bytes Rx=2357 bytes, status=1
[19216] Session End
Top
 Profile  
 
roggy
PostPosted: Thu Feb 16, 2012 11:07 am 
Offline
Senior Member
Senior Member

Joined: Tue Apr 08, 2008 10:09 am
Posts: 346
Do they have the dial-in/dialup permission?
http://www.windowsecurity.com/img/upl/S ... 305573.gif
Top
 Profile  
 
ciscotree
PostPosted: Thu Feb 16, 2012 1:54 pm 
Offline
New Member
New Member

Joined: Wed Feb 08, 2012 11:07 am
Posts: 10
Certs: CCNA, CCNAV,
Is that important? I am not using IAS or RADIUS. I am trying to use group membership as the control
Top
 Profile  
 
ciscotree
PostPosted: Thu Feb 16, 2012 3:16 pm 
Offline
New Member
New Member

Joined: Wed Feb 08, 2012 11:07 am
Posts: 10
Certs: CCNA, CCNAV,
I tried to go to allow but it didnt work.

I also pulled this log from the DC:


Successful Network Logon:
User Name: test1
Domain: DOMAIN.LOCAL
Logon ID: (0x0,0x8E4CE44)
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DOMCTRL
Logon GUID: -
Caller User Name: DOMCTRL$
Caller Domain: DOMAIN.LOCAL
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 476
Transited Services: -
Source Network Address: 10.10.130.10
Source Port: 33350

Everything shows that its supposed to be successful...
Top
 Profile  
 
mlan
PostPosted: Thu Feb 16, 2012 7:01 pm 
Offline
Senior Member
Senior Member
User avatar

Joined: Thu Nov 17, 2011 6:09 pm
Posts: 487
Location: Portland, OR
Here is a known working config I have used. There are a few differences in syntax:

Code:
ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf "CN=VPNUsers,OU=Users,DC=domain,DC=local" Admin
!
dynamic-access-policy-record DfltAccessPolicy
aaa-server A4590 protocol ldap
aaa-server A4590 (inside) host 10.0.0.14
 ldap-base-dn DC=domain,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn DOMAIN\ciscoasa
 server-type auto-detect
 ldap-attribute-map LDAP_memberOf

group-policy Admin internal
group-policy Admin attributes
 dns-server value 10.0.0.7 10.0.0.6
 default-domain value domain.local

tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
 address-pool VPN-POOL
 authentication-server-group A4590 LOCAL
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *****



ps: ASA 8.3, Server 2008 R2 AD/FFL
Top
 Profile  
 
ciscotree
PostPosted: Fri Feb 17, 2012 1:39 pm 
Offline
New Member
New Member

Joined: Wed Feb 08, 2012 11:07 am
Posts: 10
Certs: CCNA, CCNAV,
Thanks mlan.

That worked...sorta.

I can authenticate with both users. If I use a member in the group, i get the right policy. If I don't, i get the default group policy. I guess I am just going to really restrict the default group policy. When I tried to do 'vpn-simultaneous-logins 0' on the default policy, it wouldn't allow my valid users to login. I had to remove it.

Right now, members of the group are assigned the right policy, others are given the default. Any ideas?
Top
 Profile  
 
mlan
PostPosted: Fri Feb 17, 2012 2:06 pm 
Offline
Senior Member
Senior Member
User avatar

Joined: Thu Nov 17, 2011 6:09 pm
Posts: 487
Location: Portland, OR
Hm, it sounds like the DAP config needs to be modified for this to work properly.

Check this out: http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#t6
Top
 Profile  
 
texanmutt
PostPosted: Fri Feb 17, 2012 8:34 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Sat Oct 20, 2007 11:05 am
Posts: 1952
Location: Plano, TX
Certs: CCNA
ciscotree wrote:
Thanks mlan.

That worked...sorta.

I can authenticate with both users. If I use a member in the group, i get the right policy. If I don't, i get the default group policy. I guess I am just going to really restrict the default group policy. When I tried to do 'vpn-simultaneous-logins 0' on the default policy, it wouldn't allow my valid users to login. I had to remove it.

Right now, members of the group are assigned the right policy, others are given the default. Any ideas?

That is how it is supposed to work. Are you wanting hour user "test2" to not be able to log in?
Top
 Profile  
 
ciscotree
PostPosted: Mon Feb 20, 2012 9:59 am 
Offline
New Member
New Member

Joined: Wed Feb 08, 2012 11:07 am
Posts: 10
Certs: CCNA, CCNAV,
Thanks for your help mlan!

I was able to get it working with DAP.

I created the aaa-server:

Code:
aaa-server CTDC protocol ldap
aaa-server CTDC (inside) host 10.10.130.5
 ldap-base-dn DC=DOMAIN,DC=local
 ldap-group-base-dn DC=DOMAIN,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=VPNADMIN,OU=Remote Users,DC=DOMAIN,DC=local
 server-type microsoft


Then created an additional DAP and set the selection criteria as "ldap.memberOf=VPNUSERS" and an action of "Continue". I also changed the action for the default DAP to terminate connections:

Code:
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record dap_CTAuthenticator



I then created an appropriate group policy:
Code:
group-policy CTVPN internal
group-policy CTVPN attributes
 dns-server value 10.10.130.5 10.10.132.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-CT-splitTunnel
 default-domain value domain.local


And an approriate tunnel-group:
Code:
tunnel-group CTVPN type remote-access
tunnel-group CTVPN general-attributes
 address-pool CTVPN
 authentication-server-group CTDC
 default-group-policy CTVPN
tunnel-group CTVPN ipsec-attributes
 pre-shared-key *****
Top
 Profile  
 
mlan
PostPosted: Tue Feb 21, 2012 1:33 pm 
Offline
Senior Member
Senior Member
User avatar

Joined: Thu Nov 17, 2011 6:09 pm
Posts: 487
Location: Portland, OR
Nice! Thanks for the follow-up on the DAP code.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: anauj0101, Bing [Bot], mynd, SofaKing and 24 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group