Solved

Microsoft AD Ldap question

Posted on 2013-06-18
8
474 Views
Last Modified: 2013-07-22
Hi we have a vpn that is using ldap to authenticate users but it wont work. We put our VPN users in a security group "g-web-vpn" but wont authenticate. We notice When I do a ldap query for the group attributes it has no "memberof" attribute. Is this what could be breaking it? Is this something to add in AD schema or somewhere? We are using Cisco webex vpn and mixed Windows 2003\2008 servers. Thanks.
0
Comment
Question by:Thomas N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 39256898
I am guessing you just mean WebVPN, not WebEx? There is a process in integrating with LDAP. Have you configured all of these settings?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39256902
Member/Memberof (backlink) are related

Member is for groups and user object use memberof.  Florian has a good blog entry on it here

http://www.frickelsoft.net/blog/?p=130

Thanks

Mike
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 39257067
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:Thomas N
ID: 39257070
Sorry if I missed something is there somewhere in AD I can make sure that the memberof can be queried? I read the article but I dont see where this helps me. I just need to make sure that the Cisco Webvpn can query the memberof groups on my Active directory. The ASA debug logs show that this attribute is not showing up.
0
 

Author Comment

by:Thomas N
ID: 39257084
----test account-----
[75840] Session Start
[75840] New request Session, context 0x00007ffe54aae250, reqType = Authentication
[75840] Fiber started
[75840] Creating LDAP context with uri=ldap://x.x.40.198:389
[75840] Connect to LDAP server: ldap://x.x.40.198:389, status = Successful
[75840] supportedLDAPVersion: value = 3
[75840] supportedLDAPVersion: value = 2
[75840] Binding as ASA Teleworker
[75840] Performing Simple authentication for ASA Teleworker to x.x.40.198
[75840] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=txaccess, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75840] User DN = [CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=x
,DC=net]
[75840] Talking to Active Directory server x.x.40.198
[75840] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840] Binding as vpn.test
[75840] Performing Simple authentication for vpn.test to 165.184.40.198
[75840] Processing LDAP response for user vpn.test
[75840] Message (vpn.test):
[75840] Checking password policy
[75840] Authentication successful for vpn.test to x.x.40.198
[75840] now: Fri, 14 Jun 2013 14:17:43 GMT, lastset: Sun, 29 Nov 2076 08:54:34 GMT, delta=-2002646211, maxage=1244316288 secs
[75840] expire in: -126903176 secs, 48241 days
[75840] Retrieved User Attributes:
[75840]         objectClass: value = top
[75840]         objectClass: value = person
[75840]         objectClass: value = organizationalPerson
[75840]         objectClass: value = user
[75840]         cn: value = VPN Test
[75840]         sn: value = Test
[75840]         description: value = Account used to test T VPN
[75840]         givenName: value = VPN
[75840]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840]         displayName: value = VPN Test
[75840]         name: value = VPN Test
[75840]         objectGUID: value = .. ..FqC..}5WQ..
[75840]         codePage: value = 0
[75840]         countryCode: value = 0
[75840]         primaryGroupID: value = 513
[75840]         objectSid: value = ..............vt..s?..q5....
[75840]         sAMAccountName: value = vpn.test
[75840]         sAMAccountType: value = 805306368
[75840]         userPrincipalName: value = vpn.test@.net
[75840]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75840] Fiber exit Tx=736 bytes Rx=1790 bytes, status=1
[75840] Session End

[75841] Session Start
[75841] New request Session, context 0x00007ffe54aae250, reqType = Other
[75841] Fiber started
[75841] Creating LDAP context with uri=ldap://..40.198:389
[75841] Connect to LDAP server: ldap://.1.40.198:389, status = Successful
[75841] supportedLDAPVersion: value = 3
[75841] supportedLDAPVersion: value = 2
[75841] Binding as ASA Teleworker
[75841] Performing Simple authentication for ASA Teleworker to 165.184.40.198
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] User DN = [CN=VPN Test,OU=Test Accounts,
OU=Users,OU=Resources,DC=t,DC=net]
[75841] Talking to Active Directory server ..40.198
[75841] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] Retrieved User Attributes:
[75841]         objectClass: value = top
[75841]         objectClass: value = person
[75841]         objectClass: value = organizationalPerson
[75841]         objectClass: value = user
[75841]         cn: value = VPN Test
[75841]         sn: value = Test
[75841]         description: value = Account used to test T VPN
[75841]         givenName: value = VPN
[75841]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=tx,DC=net
[75841]         displayName: value = VPN Test
[75841]         name: value = VPN Test
[75841]         objectGUID: value = .. ..FqC..}5WQ..
[75841]         codePage: value = 0
[75841]         countryCode: value = 0
[75841]         primaryGroupID: value = 513
[75841]         objectSid: value = ..............vt..s?..q5....
[75841]         sAMAccountName: value = vpn.test
[75841]         sAMAccountType: value = 805306368
[75841]         userPrincipalName: value = vpn.test@ts.net
[75841]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75841] Fiber exit Tx=741 bytes Rx=2646 bytes, status=1
0
 

Author Comment

by:Thomas N
ID: 39257085
Here is the ASA logs and there is not attribute for memberof pulling up
0
 

Author Comment

by:Thomas N
ID: 39257235
Basically the Cisco VPN is not pulling the "memberof" information from our AD Ldap. So its not reading the security groups. Is there something in AD I need to check or turn on to do this?
0
 
LVL 32

Accepted Solution

by:
Rodney Barnhardt earned 500 total points
ID: 39259991
"Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy."

You probably need to create the mapping since your users are more than likely members of various groups. Since from looking at the log you attached, I did not see any "member of" reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question