Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 487
  • Last Modified:

Microsoft AD Ldap question

Hi we have a vpn that is using ldap to authenticate users but it wont work. We put our VPN users in a security group "g-web-vpn" but wont authenticate. We notice When I do a ldap query for the group attributes it has no "memberof" attribute. Is this what could be breaking it? Is this something to add in AD schema or somewhere? We are using Cisco webex vpn and mixed Windows 2003\2008 servers. Thanks.
0
Thomas N
Asked:
Thomas N
1 Solution
 
Rodney BarnhardtServer AdministratorCommented:
I am guessing you just mean WebVPN, not WebEx? There is a process in integrating with LDAP. Have you configured all of these settings?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
0
 
Mike KlineCommented:
Member/Memberof (backlink) are related

Member is for groups and user object use memberof.  Florian has a good blog entry on it here

http://www.frickelsoft.net/blog/?p=130

Thanks

Mike
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Sorry if I missed something is there somewhere in AD I can make sure that the memberof can be queried? I read the article but I dont see where this helps me. I just need to make sure that the Cisco Webvpn can query the memberof groups on my Active directory. The ASA debug logs show that this attribute is not showing up.
0
 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
----test account-----
[75840] Session Start
[75840] New request Session, context 0x00007ffe54aae250, reqType = Authentication
[75840] Fiber started
[75840] Creating LDAP context with uri=ldap://x.x.40.198:389
[75840] Connect to LDAP server: ldap://x.x.40.198:389, status = Successful
[75840] supportedLDAPVersion: value = 3
[75840] supportedLDAPVersion: value = 2
[75840] Binding as ASA Teleworker
[75840] Performing Simple authentication for ASA Teleworker to x.x.40.198
[75840] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=txaccess, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75840] User DN = [CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=x
,DC=net]
[75840] Talking to Active Directory server x.x.40.198
[75840] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840] Binding as vpn.test
[75840] Performing Simple authentication for vpn.test to 165.184.40.198
[75840] Processing LDAP response for user vpn.test
[75840] Message (vpn.test):
[75840] Checking password policy
[75840] Authentication successful for vpn.test to x.x.40.198
[75840] now: Fri, 14 Jun 2013 14:17:43 GMT, lastset: Sun, 29 Nov 2076 08:54:34 GMT, delta=-2002646211, maxage=1244316288 secs
[75840] expire in: -126903176 secs, 48241 days
[75840] Retrieved User Attributes:
[75840]         objectClass: value = top
[75840]         objectClass: value = person
[75840]         objectClass: value = organizationalPerson
[75840]         objectClass: value = user
[75840]         cn: value = VPN Test
[75840]         sn: value = Test
[75840]         description: value = Account used to test T VPN
[75840]         givenName: value = VPN
[75840]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840]         displayName: value = VPN Test
[75840]         name: value = VPN Test
[75840]         objectGUID: value = .. ..FqC..}5WQ..
[75840]         codePage: value = 0
[75840]         countryCode: value = 0
[75840]         primaryGroupID: value = 513
[75840]         objectSid: value = ..............vt..s?..q5....
[75840]         sAMAccountName: value = vpn.test
[75840]         sAMAccountType: value = 805306368
[75840]         userPrincipalName: value = vpn.test@.net
[75840]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75840] Fiber exit Tx=736 bytes Rx=1790 bytes, status=1
[75840] Session End

[75841] Session Start
[75841] New request Session, context 0x00007ffe54aae250, reqType = Other
[75841] Fiber started
[75841] Creating LDAP context with uri=ldap://..40.198:389
[75841] Connect to LDAP server: ldap://.1.40.198:389, status = Successful
[75841] supportedLDAPVersion: value = 3
[75841] supportedLDAPVersion: value = 2
[75841] Binding as ASA Teleworker
[75841] Performing Simple authentication for ASA Teleworker to 165.184.40.198
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] User DN = [CN=VPN Test,OU=Test Accounts,
OU=Users,OU=Resources,DC=t,DC=net]
[75841] Talking to Active Directory server ..40.198
[75841] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] Retrieved User Attributes:
[75841]         objectClass: value = top
[75841]         objectClass: value = person
[75841]         objectClass: value = organizationalPerson
[75841]         objectClass: value = user
[75841]         cn: value = VPN Test
[75841]         sn: value = Test
[75841]         description: value = Account used to test T VPN
[75841]         givenName: value = VPN
[75841]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=tx,DC=net
[75841]         displayName: value = VPN Test
[75841]         name: value = VPN Test
[75841]         objectGUID: value = .. ..FqC..}5WQ..
[75841]         codePage: value = 0
[75841]         countryCode: value = 0
[75841]         primaryGroupID: value = 513
[75841]         objectSid: value = ..............vt..s?..q5....
[75841]         sAMAccountName: value = vpn.test
[75841]         sAMAccountType: value = 805306368
[75841]         userPrincipalName: value = vpn.test@ts.net
[75841]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75841] Fiber exit Tx=741 bytes Rx=2646 bytes, status=1
0
 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Here is the ASA logs and there is not attribute for memberof pulling up
0
 
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Basically the Cisco VPN is not pulling the "memberof" information from our AD Ldap. So its not reading the security groups. Is there something in AD I need to check or turn on to do this?
0
 
Rodney BarnhardtServer AdministratorCommented:
"Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy."

You probably need to create the mapping since your users are more than likely members of various groups. Since from looking at the log you attached, I did not see any "member of" reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now