Problems with Cisco ASA and Microsoft LDAP Authorization and Authentication on required password changes

Hello, I am having problems with Cisco Anyconnect clients. The ASA is setup to AAA to MS LDAP Server. all is working until a required Password change or password expired change needs to take place. The Cisco Clinet only indicates "Unwilling to perform password change" and fails to login. I ran the LDAP Debug on the ASA and get "[1276] modify failed, no SSL enabled on connection" I spoke to Cisco, they stated the LDAP Server requires MS CA Services installed. I installed it, but still the same issue. Cisco says the Authorization and Authentication requires SSL, and confirms the SSL, server-ports and Password Management statements on the ASA are correct. I am not sure if the ASA requires a Certificate to be installed form the MS CA Authority for this to work properly? or if there are other Cisco or MS configurations I need, any help would be appreciated, thanks
dmking43Asked:
Who is Participating?
 
dmking43Author Commented:
How are you doing, we installed the CA Service on the LDAP Server allowing LDAPS. I put back in place SSL on the ASA and the Password change now works, see debug below.

I can not get it to work without SSL enabled, I am not usre how you did. But having SSL enabled is not a problem and it works. How did you make out in the LAB Test?

Thanks for th ehelp

[153] Session Start
[153] New request Session, context 0xccb48bf8, reqType = Authentication
[153] Fiber started
[153] Creating LDAP context with uri=ldaps://172.16.5.27:636
[153] Connect to LDAP server: ldaps://172.16.5.27:636, status = Successful
[153] supportedLDAPVersion: value = 3
[153] supportedLDAPVersion: value = 2
[153] Binding as efi1a
[153] Performing Simple authentication for efi1a to 172.16.5.27
[153] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[153] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC
=com]
[153] Talking to Active Directory server 172.16.5.27
[153] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingw
ood,OU=Offices,DC=EFIGLOBAL,DC=com
[153] Read bad password count 0
[153] Binding as testuser
[153] Performing Simple authentication for testuser to 172.16.5.27
[153] Simple authentication for testuser returned code (49) Invalid credentials
[153] Message (testuser): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext
 error, data 773, vece
[153] Checking password policy
[153] New password is required for testuser
[153] Fiber exit Tx=751 bytes Rx=4560 bytes, status=-1
[153] Session End

[154] Session Start
[154] New request Session, context 0xccb48bf8, reqType = Modify Password
[154] Fiber started
[154] Creating LDAP context with uri=ldaps://172.16.5.27:636
[154] Connect to LDAP server: ldaps://172.16.5.27:636, status = Successful
[154] supportedLDAPVersion: value = 3
[154] supportedLDAPVersion: value = 2
[154] Binding as efi1a
[154] Performing Simple authentication for efi1a to 172.16.5.27
[154] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[154] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC
=com]
[154] Talking to Active Directory server 172.16.5.27
[154] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingw
ood,OU=Offices,DC=EFIGLOBAL,DC=com
[154] Read bad password count 0
[154] Password for testuser successfully changed
[154] Retrieved User Attributes:
[154]   objectClass: value = top
[154]   objectClass: value = person
[154]   objectClass: value = organizationalPerson
[154]   objectClass: value = user
[154]   cn: value = user, test
[154]   sn: value = user
[154]   givenName: value = test
[154]   distinguishedName: value = CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offic
es,DC=EFIGLOBAL,DC=com
[154]   instanceType: value = 4
[154]   whenCreated: value = 20091202183516.0Z
[154]   whenChanged: value = 20100104155320.0Z
[154]   displayName: value = user, test
[154]   uSNCreated: value = 25057977
[154]   uSNChanged: value = 26446280
[154]   homeMTA: value = CN=Microsoft MTA,CN=USKW95MAIL,CN=Servers,CN=Exchange Administrat
ive Group (FYDI
[154]   proxyAddresses: value = SMTP:testuser@EFIGLOBAL.COM
[154]   homeMDB: value = CN=MBXDB2,CN=Third Storage Group,CN=InformationStore,CN=USKW95MAI
L,CN=Servers,CN
[154]   mDBUseDefaults: value = TRUE
[154]   mailNickname: value = testuser
[154]   name: value = user, test
[154]   objectGUID: value = ..l.N./J.5.n..!E
[154]   userAccountControl: value = 512
[154]   badPwdCount: value = 0
[154]   codePage: value = 0
[154]   countryCode: value = 0
[154]   badPasswordTime: value = 0
[154]   lastLogoff: value = 0
[154]   lastLogon: value = 129042552057356693
[154]   pwdLastSet: value = 0
[154]   primaryGroupID: value = 513
[154]   objectSid: value = ............MdI.#_ck...(..a.
[154]   accountExpires: value = 9223372036854775807
[154]   logonCount: value = 1
[154]   sAMAccountName: value = testuser
[154]   sAMAccountType: value = 805306368
[154]   showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Li
sts,CN=Address Lists Cont
[154]   showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Cont
ainer,CN=Engineering and
[154]   legacyExchangeDN: value = /o=Engineering and Fire Investigations/ou=Exchange Admin
istrative Group (FYDIBOH
[154]   userPrincipalName: value = testuser@EFIGLOBAL.COM
[154]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=EFIGLOBAL,DC=com
[154]   mail: value = testuser@EFIGLOBAL.COM
[154]   msExchHomeServerName: value = /o=Engineering and Fire Investigations/ou=Exchange A
dministrative Group (FYDIBOH
[154]   msExchMailboxSecurityDescriptor: value = ........ .......,........................
...............................
[154]   msExchUserAccountControl: value = 0
[154]   msExchMailboxGuid: value = ..\.l..A.j.<....
[154]   msExchPoliciesIncluded: value = {1D42D0AE-3474-4890-8156-35DBFA3226C0},{26491CFC-9
E50-4857-861B-0CB8DF22B5D7}
[154]   msExchRecipientDisplayType: value = 1073741824
[154]   msExchVersion: value = 4535486012416
[154]   msExchRecipientTypeDetails: value = 1
[154] Fiber exit Tx=788 bytes Rx=4473 bytes, status=1
[154] Session End

[155] Session Start
[155] New request Session, context 0xccb48bf8, reqType = Other
[155] Fiber started
[155] Creating LDAP context with uri=ldaps://172.16.5.27:636
[155] Connect to LDAP server: ldaps://172.16.5.27:636, status = Successful
[155] supportedLDAPVersion: value = 3
[155] supportedLDAPVersion: value = 2
[155] Binding as efi1a
[155] Performing Simple authentication for efi1a to 172.16.5.27
[155] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[155] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC
=com]
[155] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[155] Retrieved User Attributes:
[155]   objectClass: value = top
[155]   objectClass: value = person
[155]   objectClass: value = organizationalPerson
[155]   objectClass: value = user
[155]   cn: value = user, test
[155]   sn: value = user
[155]   givenName: value = test
[155]   distinguishedName: value = CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offic
es,DC=EFIGLOBAL,DC=com
[155]   instanceType: value = 4
[155]   whenCreated: value = 20091202183516.0Z
[155]   whenChanged: value = 20100104155342.0Z
[155]   displayName: value = user, test
[155]   uSNCreated: value = 25057977
[155]   uSNChanged: value = 26446290
[155]   homeMTA: value = CN=Microsoft MTA,CN=USKW95MAIL,CN=Servers,CN=Exchange Administrat
ive Group (FYDI
[155]   proxyAddresses: value = SMTP:testuser@EFIGLOBAL.COM
[155]   homeMDB: value = CN=MBXDB2,CN=Third Storage Group,CN=InformationStore,CN=USKW95MAI
L,CN=Servers,CN
[155]   mDBUseDefaults: value = TRUE
[155]   mailNickname: value = testuser
[155]   name: value = user, test
[155]   objectGUID: value = ..l.N./J.5.n..!E
[155]   userAccountControl: value = 512
[155]   badPwdCount: value = 0
[155]   codePage: value = 0
[155]   countryCode: value = 0
[155]   badPasswordTime: value = 0
[155]   lastLogoff: value = 0
[155]   lastLogon: value = 129042552057356693
[155]   pwdLastSet: value = 129070940225969091
[155]   primaryGroupID: value = 513
[155]   objectSid: value = ............MdI.#_ck...(..a.
[155]   accountExpires: value = 9223372036854775807
[155]   logonCount: value = 1
[155]   sAMAccountName: value = testuser
[155]   sAMAccountType: value = 805306368
[155]   showInAddressBook: value = CN=Default Global Address List,CN=All Global Address Li
sts,CN=Address Lists Cont
[155]   showInAddressBook: value = CN=All Users,CN=All Address Lists,CN=Address Lists Cont
ainer,CN=Engineering and
[155]   legacyExchangeDN: value = /o=Engineering and Fire Investigations/ou=Exchange Admin
istrative Group (FYDIBOH
[155]   userPrincipalName: value = testuser@EFIGLOBAL.COM
[155]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=EFIGLOBAL,DC=com
[155]   mail: value = testuser@EFIGLOBAL.COM
[155]   msExchHomeServerName: value = /o=Engineering and Fire Investigations/ou=Exchange A
dministrative Group (FYDIBOH
[155]   msExchMailboxSecurityDescriptor: value = ........ .......,........................
...............................
[155]   msExchUserAccountControl: value = 0
[155]   msExchMailboxGuid: value = ..\.l..A.j.<....
[155]   msExchPoliciesIncluded: value = {1D42D0AE-3474-4890-8156-35DBFA3226C0},{26491CFC-9
E50-4857-861B-0CB8DF22B5D7}
[155]   msExchRecipientDisplayType: value = 1073741824
[155]   msExchVersion: value = 4535486012416
[155]   msExchRecipientTypeDetails: value = 1
[155] Fiber exit Tx=382 bytes Rx=7425 bytes, status=1
[155] Session End
0
 
geergonCommented:
I think that we are talking about the Password Expiry feature right?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#passexpiry

I have a doubt...
The user configured in the LDAP code needs to have write rights in order to set the new password.
Do the user configured has access to read/write to the domain?

Please post the full debugs.

0
 
dmking43Author Commented:
Yes, it is the password Expiry feature. The Account on the ASA performinig the LDAP is a Domain Admin, there is no problem there. I turned on Ldap Debug on the ASA and did a test, I get "[1276] modify failed, no SSL enabled on connection". I beleive it is due to the fact that the LDAP Server is not accepting SSL Connection to port 636 at this point. I found an article explaining how to turn LDAP SSL on for Windows 2003 Server    http://www.linuxmail.info/enable-ldap-ssl-active-directory/

I think I will try this to a test server to see if it reslves the problem, form waht I am reading, I believe it should.

I will let you know, thanks for your help
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
geergonCommented:
The client (the asa this time) has the possibility to use SSL as a transport for the LDAP communication.
Do it works without using SSL?
0
 
dmking43Author Commented:
Normal logins work without issue, but if SSL is not used, and this is directly form Cisco TAC, Password Expiry and "User Must change Password on next Login", will not work. From the additional articles I have found, they all say the same thing, It requires SSL to the LDAP Server designated in the config and the LDAP Server requires Microsoft CA Service. The ASA User Account used to connecting to the LDAP Server needs the necessary rights, in my case I am using an account with Domain Admin Rights. We are setting up a Domain Global Catalog Server with LDAPS and will test, I will let you know the results. Thanks
0
 
geergonCommented:
Hello!

We are talking about MS Active Directory right? Because if the answer is yes you do not need to enable SSL... Anyway you could give it a try...

1. Which ASA version are you using?
2. Again can you paste the full debugs of

Debug aaa authentication
Debug ldap 255


Check this
*************

For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers.

Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.

Note that this command does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916
0
 
dmking43Author Commented:
Hello, see debugs below.

Yes this is a Microsoft Active Directory Domain
Windows 2003 Server
The Cisco ASA point to a Domain controler/Global Catalog Server
The Cisco ASA is setup for Password-management
The Csica ASA has a Domain Admin User Account performing the LDAP lookup

You said the Password change does not require SSL, but all articles I have read as well as the Cisco TAC Case I have, all say you need SSL for this to work. If you can tell me how to get it to work withyout SSL, I would greatly appreciate it. I may be doing things wrong or not have the correct setting in the ASA, but it will not work, it does not let me change a Domain Account's Password.

When a Domain Users's account's password is not about to expire, the login works withou issue
When the Domain Users's account's password has expired or is set to change at next logon;

The Cisco Anyconnect client initially Logs in succesfully and it prompted to change the password.
You type in the new password, then confirem the new password and you get the Error: "Unwilling to perform password change" on the client and it will not let you login

The Debugs form the ASA
ASA# Debug ldap 255
debug ldap  enabled at level 255
ASA# Debug aaa authentication
debug aaa authentication enabled at level 1
ASA#
[1414] Session Start
[1414] New request Session, context 0xccaed2e0, reqType = Authentication
[1414] Fiber started
[1414] Creating LDAP context with uri=ldap://172.16.5.27:389
[1414] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[1414] supportedLDAPVersion: value = 3
[1414] supportedLDAPVersion: value = 2
[1414] Binding as efiglobal\Efi1a
[1414] Performing Simple authentication for efiglobal\Efi1a to 172.16.5.27
[1414] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[1414] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,D
C=com]
[1414] Talking to Active Directory server 172.16.5.27
[1414] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=com
[1414] Read bad password count 0
[1414] Binding as testuser
[1414] Performing Simple authentication for testuser to 172.16.5.27
[1414] Simple authentication for testuser returned code (49) Invalid credentials
[1414] Message (testuser): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773, vece
[1414] Checking password policy
[1414] New password is required for testuser
[1414] Fiber exit Tx=700 bytes Rx=4557 bytes, status=-1
[1414] Session End

[1415] Session Start
[1415] New request Session, context 0xccaed2e0, reqType = Modify Password
[1415] Fiber started
[1415] Creating LDAP context with uri=ldap://172.16.5.27:389
[1415] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[1415] supportedLDAPVersion: value = 3
[1415] supportedLDAPVersion: value = 2
[1415] Binding as efiglobal\Efi1a
[1415] Performing Simple authentication for efiglobal\Efi1a to 172.16.5.27
[1415] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[1415] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,D
C=com]
[1415] Talking to Active Directory server 172.16.5.27
[1415] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=com
[1415] Read bad password count 0
[1415] modify failed, no SSL enabled on connection
[1415] Fiber exit Tx=741 bytes Rx=4544 bytes, status=-1
[1415] Session End
0
 
geergonCommented:
mmmh Cool thanks for the debugs!

Just one question why are you using this form of the administrator user?
efiglobal\Efi1a
Are you specifying the domain on the user CN?
Please paste the LDAP configuration.

If unsure of the current DN string to use, you can issue the dsquery command on a Windows Active Driectory server from a command prompt in order to verify the appropriate DN String of a user object.
    C:\Documents and Settings\Administrator>dsquery user -samid Efi1a
    !--- Queries Active Directory for samid id "kate"
    "CN=Efi1a,CN=xxx,DC=xx,DC=xxx,DC=cxxx"

2. Get the full distinguished name (DN) of the user account testuser using the dsquey command
And try to do this from the 2003 server
Example:
dsmod user  "CN=testuser,CN=Users,DC=xxxx,DC=xxxx,DC=xxx"  -pwd new_password

3. Also which code version do you have in your ASA?
0
 
dmking43Author Commented:
Happy New Year,

I am using the Efi1a Account  at this moment only for the fact I wanted to rule out a rights isssue, I have a dedicated account for this, so as soon as I get it working I will put the dedicated service account for this back in place..

See info you requested below, Thanks again for your help

C:\>dsquery user -samid Efi1a
"CN=efi1a,OU=Users and Groups,OU=Service Admins,DC=EFIGLOBAL,DC=com"

C:\>dsquery user -samid testuser
"CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=com"

Running the dsmod command as you indicated was successful, I ran it directly on the Server as you requested
C:\>dsmod user "CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=com" -pwd new_password

dsmod succeeded:CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=com

We have 2 LDAP Servers, see LDAP Config below

aaa-server EFI_LDAP (Inside) host 172.16.5.27
 server-port 389
 ldap-base-dn DC=efiglobal,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn efiglobal\Efi1a
 server-type microsoft
 ldap-attribute-map CISCOMAP
aaa-server EFI_LDAP (Inside) host 172.16.5.100
 timeout 5
 server-port 389
 ldap-base-dn DC=efiglobal,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *

I also included the AnyConnect Tunne Group being used, see below

tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 authentication-server-group (Outside) EFI_LDAP
 authorization-server-group EFI_LDAP
 authorization-server-group (Inside) EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management
 authorization-required
 ldap-login-dn efiglobal\efi1a
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CISCOMAP

Cisco ASA Version
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)




0
 
geergonCommented:
Sure but I do not know if you understand what I am pointing out.
Let me touch base with you.

If this is the correct String
CN=efi1a,OU=Users and Groups,OU=Service Admins,DC=EFIGLOBAL,DC=com

Why do you have this on the configuration?
 ldap-login-dn efiglobal\Efi1a

I think that it should be the full correct DN, what I am trying to say is that you have some things not matching on the configuration.

First of all check this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

1. Are you using authorization? if not disable that line from the tunnel-group configuration.

2. Why do you have this line pointing to the outside?
( authentication-server-group (Outside) EFI_LDAP)

I do not know how TAC said that the configuration is OK, for me there is a lot of mismatch and unsupported.

Check this first:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

For attributes maps check this other link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Warning
(for attribute maps  the attribute CVPN3000-Radius-IETF-Class or IETF-Radius-Class
 does not exist anymore instead of it looks for GROUP-Class or something similar )
0
 
dmking43Author Commented:
How are you doing, let me start off with I am fairly knowledgeable with the ASA, but I am not an expert,  I may not understand everything you are getting at, and I can not tell you why Cisco TAC said all is good, as a matter of fact TAC added the LDAP (Outside) statement. I sometimes do not get the best TAC technician, it happens. After readeing your comments and suggestions, I made the follwoing changes, I added the full DN, removed "efiglobal\efi1a" and removed the LDAP to (Outside) statement as well., see updated config below. As for the Class Map, I did most of that configuration and then got Cisco TAC involved as it was not working at the time. I am not sure what you mena on the attribute map, CVPN3000-Radius-IETF-Class, maybe it is not used in the latest version, but it was used in 8.1 and even the article you point to references it.

"In this example, the AD/LDAP attribute memberOf is mapped to the ASA attribute CVPN3000-Radius-IETF-Class. The class attribute is used in order to assign group policies on the ASA. This is the general process that the ASA completes when it authenticates users with LDAP:"

I wll have to do soem more reading on this topic. I would think if it is no longer used in the latest IOS it wouldn't accept that map?

To answer your question, Yes I am using authentication
Also, do you have a smaple config I can reference, maybe that would make it easier as I can still not find an sample configs or documentation that says this will work wothout SSL being enabled?

Updated Config
aaa-server EFI_LDAP (Inside) host 172.16.5.27
 server-port 389
 ldap-base-dn DC=efiglobal,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=efi1a,OU=Users and Groups,OU=Service Admins,DC=EFIGLOBAL,DC=com
 server-type microsoft
 ldap-attribute-map CISCOMAP
aaa-server EFI_LDAP (Inside) host 172.16.5.100
 timeout 5
 server-port 389
 ldap-base-dn DC=efiglobal,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=efi1a,OU=Users and Groups,OU=Service Admins,DC=EFIGLOBAL,DC=com
 server-type microsoft

I tested the Login and it still failed indicating no SSL enabled on connection, see debug below
ASA(config)# Debug ldap 255
debug ldap  enabled at level 255
ASA(config)#
[1491] Session Start
[1491] New request Session, context 0xccaed2e0, reqType = Authentication
[1491] Fiber started
[1491] Creating LDAP context with uri=ldap://172.16.5.27:389
[1491] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[1491] supportedLDAPVersion: value = 3
[1491] supportedLDAPVersion: value = 2
[1491] Binding as efi1a
[1491] Performing Simple authentication for efi1a to 172.16.5.27
[1491] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[1491] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,D
C=com]
[1491] Talking to Active Directory server 172.16.5.27
[1491] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=King
wood,OU=Offices,DC=EFIGLOBAL,DC=com
[1491] Read bad password count 0
[1491] Binding as testuser
[1491] Performing Simple authentication for testuser to 172.16.5.27
[1491] Simple authentication for testuser returned code (49) Invalid credentials
[1491] Message (testuser): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContex
t error, data 773, vece
[1491] Checking password policy
[1491] New password is required for testuser
[1491] Fiber exit Tx=751 bytes Rx=4557 bytes, status=-1
[1491] Session End

[1492] Session Start
[1492] New request Session, context 0xccaed2e0, reqType = Modify Password
[1492] Fiber started
[1492] Creating LDAP context with uri=ldap://172.16.5.27:389
[1492] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[1492] supportedLDAPVersion: value = 3
[1492] supportedLDAPVersion: value = 2
[1492] Binding as efi1a
[1492] Performing Simple authentication for efi1a to 172.16.5.27
[1492] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[1492] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,D
C=com]
[1492] Talking to Active Directory server 172.16.5.27
[1492] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=King
wood,OU=Offices,DC=EFIGLOBAL,DC=com
[1492] Read bad password count 0
[1492] modify failed, no SSL enabled on connection
[1492] Fiber exit Tx=790 bytes Rx=4544 bytes, status=-1
[1492] Session End
0
 
geergonCommented:
Please disabled the *authorization* lines from the tunnel-group configuration as well.

It should look like:
tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management

In the other hand I have seem a lot of problematic situations with version 8.2.1, this version is very "buggy" please upgrade to 8.2.1.11 or downgrade to 8.0.4.39 or 8.0.4.44 ask TAC to post to you those engineering releases. Regarding TAC, I think that they have the best technicians on the world and the best support, the only part that I doubt is the human part and everybody can do mistakes... right?

According to the example that you requested, well I can do a LAB this monday and test this configuration, but I mean it should work, I did this on the past without any issue I I do not remember the restriction of SSL  in order to work....

Forget about the attribute map, it was an unrelated comment from my part, disregards....

0
 
geergonCommented:
Also try to upgrade the Anyconnect package and check how it goes.
0
 
dmking43Author Commented:
How ar eyou doing, I already sent you the Tunnel group config in an eariler post, but here it is again. I will see if I have the older versions of the IOS, otherwiase I will upgrade the ASA an Anyconnect Client. I will let you know, thanks

tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 authentication-server-group (Outside) EFI_LDAP
 authorization-server-group EFI_LDAP
 authorization-server-group (Inside) EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management
 authorization-required
 ldap-login-dn efiglobal\efi1a
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CISCOMAP


0
 
dmking43Author Commented:
Hello, I upgraded the ASA and the Anyconnect client

ASA
Cisco Adaptive Security Appliance Software Version 8.2(1)11
Device Manager Version 6.2(1)

Compiled on Mon 21-Sep-09 17:47 by builders
System image file is "disk0:/asa821-11-k8.bin"
Config file at boot was "startup-config"

AnyConnect Client
anyconnect-win-2.4.0202-k9


I tried it again, see debug below, same results, "[10] modify failed, no SSL enabled on connection"

I look forward to the results of your test in the lab Monday if you have the time. I also plan to add SSL to the Server if I can Mnoday and see if that does it, I will let yuo know, also , Thanks again for all your help

Debug Results
[9] Session Start
[9] New request Session, context 0xccb48bf8, reqType = Authentication
[9] Fiber started
[9] Creating LDAP context with uri=ldap://172.16.5.27:389
[9] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[9] supportedLDAPVersion: value = 3
[9] supportedLDAPVersion: value = 2
[9] Binding as efi1a
[9] Performing Simple authentication for efi1a to 172.16.5.27
[9] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[9] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=c
om]
[9] Talking to Active Directory server 172.16.5.27
[9] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwoo
d,OU=Offices,DC=EFIGLOBAL,DC=com
[9] Read bad password count 0
[9] Binding as testuser
[9] Performing Simple authentication for testuser to 172.16.5.27
[9] Simple authentication for testuser returned code (49) Invalid credentials
[9] Message (testuser): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext e
rror, data 773, vece
[9] Checking password policy
[9] New password is required for testuser
[9] Fiber exit Tx=751 bytes Rx=4557 bytes, status=-1
[9] Session End

[10] Session Start
[10] New request Session, context 0xccb48bf8, reqType = Modify Password
[10] Fiber started
[10] Creating LDAP context with uri=ldap://172.16.5.27:389
[10] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[10] supportedLDAPVersion: value = 3
[10] supportedLDAPVersion: value = 2
[10] Binding as efi1a
[10] Performing Simple authentication for efi1a to 172.16.5.27
[10] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[10] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=
com]
[10] Talking to Active Directory server 172.16.5.27
[10] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwo
od,OU=Offices,DC=EFIGLOBAL,DC=com
[10] Read bad password count 0
[10] modify failed, no SSL enabled on connection
[10] Fiber exit Tx=788 bytes Rx=4544 bytes, status=-1
[10] Session End
0
 
geergonCommented:
This is odd...

Is this the tunnel group configuration?

tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 authentication-server-group (Outside) EFI_LDAP
 authorization-server-group EFI_LDAP
 authorization-server-group (Inside) EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management
 authorization-required
 ldap-login-dn efiglobal\efi1a
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CISCOMAP

I do no understand why I am still seeing things like " ldap-login-dn efiglobal\efi1a" and " ldap-over-ssl enable" on the configuration that you posted, what I am trying to say is that we should see a tunnel-group like this:

tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management

Delete everything that is not here under the general attributes.
0
 
dmking43Author Commented:
My appoligies, I copied and pasted form the eariler post, rahter than formt he ASA, here is the current config and it does refelect the changes you requested.

tunnel-group AnyConnect general-attributes
 address-pool SSL_VPN_Users
 authentication-server-group EFI_LDAP
 default-group-policy EFI_ALL_Users
 password-management

Still no luck, it will not let me change the password, still looking for an SSL connection

[83] Session Start
[83] New request Session, context 0xccb48bf8, reqType = Authentication
[83] Fiber started
[83] Creating LDAP context with uri=ldap://172.16.5.27:389
[83] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[83] supportedLDAPVersion: value = 3
[83] supportedLDAPVersion: value = 2
[83] Binding as efi1a
[83] Performing Simple authentication for efi1a to 172.16.5.27
[83] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[83] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=
com]
[83] Talking to Active Directory server 172.16.5.27
[83] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwo
od,OU=Offices,DC=EFIGLOBAL,DC=com
[83] Read bad password count 0
[83] Binding as testuser
[83] Performing Simple authentication for testuser to 172.16.5.27
[83] Simple authentication for testuser returned code (49) Invalid credentials
[83] Message (testuser): 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext
error, data 773, vece
[83] Checking password policy
[83] New password is required for testuser
[83] Fiber exit Tx=751 bytes Rx=4557 bytes, status=-1
[83] Session End

[84] Session Start
[84] New request Session, context 0xccb48bf8, reqType = Modify Password
[84] Fiber started
[84] Creating LDAP context with uri=ldap://172.16.5.27:389
[84] Connect to LDAP server: ldap://172.16.5.27:389, status = Successful
[84] supportedLDAPVersion: value = 3
[84] supportedLDAPVersion: value = 2
[84] Binding as efi1a
[84] Performing Simple authentication for efi1a to 172.16.5.27
[84] LDAP Search:
        Base DN = [DC=efiglobal,DC=com]
        Filter  = [sAMAccountName=testuser]
        Scope   = [SUBTREE]
[84] User DN = [CN=user\, test,OU=Users and Groups,OU=Kingwood,OU=Offices,DC=EFIGLOBAL,DC=
com]
[84] Talking to Active Directory server 172.16.5.27
[84] Reading password policy for testuser, dn:CN=user\, test,OU=Users and Groups,OU=Kingwo
od,OU=Offices,DC=EFIGLOBAL,DC=com
[84] Read bad password count 0
[84] modify failed, no SSL enabled on connection
[84] Fiber exit Tx=788 bytes Rx=4544 bytes, status=-1
[84] Session End

0
 
geergonCommented:
What can I said....

My bad.

I did not did the LAB today but I am agreed .... I confirmed this with another Cisco Pals and everybody states that it is necessary to have ldap over ssl to accomplish this, the problem here is that Cisco did not documented this issue very well this time.

Thank you.
0
 
dmking43Author Commented:
Once LDAPS was installed it resolved the problem, geergon was mistaken that it was not required. Once installed LDAPS was installed on the server it worked, thanks
0
 
jroth-hajCommented:
Thanks a lot for this simple solution!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.