Solved

Microsoft AD Ldap question

Posted on 2013-06-18
8
464 Views
Last Modified: 2013-07-22
Hi we have a vpn that is using ldap to authenticate users but it wont work. We put our VPN users in a security group "g-web-vpn" but wont authenticate. We notice When I do a ldap query for the group attributes it has no "memberof" attribute. Is this what could be breaking it? Is this something to add in AD schema or somewhere? We are using Cisco webex vpn and mixed Windows 2003\2008 servers. Thanks.
0
Comment
Question by:Thomas N
8 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 39256898
I am guessing you just mean WebVPN, not WebEx? There is a process in integrating with LDAP. Have you configured all of these settings?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39256902
Member/Memberof (backlink) are related

Member is for groups and user object use memberof.  Florian has a good blog entry on it here

http://www.frickelsoft.net/blog/?p=130

Thanks

Mike
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 39257067
0
 

Author Comment

by:Thomas N
ID: 39257070
Sorry if I missed something is there somewhere in AD I can make sure that the memberof can be queried? I read the article but I dont see where this helps me. I just need to make sure that the Cisco Webvpn can query the memberof groups on my Active directory. The ASA debug logs show that this attribute is not showing up.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Thomas N
ID: 39257084
----test account-----
[75840] Session Start
[75840] New request Session, context 0x00007ffe54aae250, reqType = Authentication
[75840] Fiber started
[75840] Creating LDAP context with uri=ldap://x.x.40.198:389
[75840] Connect to LDAP server: ldap://x.x.40.198:389, status = Successful
[75840] supportedLDAPVersion: value = 3
[75840] supportedLDAPVersion: value = 2
[75840] Binding as ASA Teleworker
[75840] Performing Simple authentication for ASA Teleworker to x.x.40.198
[75840] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=txaccess, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75840] User DN = [CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=x
,DC=net]
[75840] Talking to Active Directory server x.x.40.198
[75840] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840] Binding as vpn.test
[75840] Performing Simple authentication for vpn.test to 165.184.40.198
[75840] Processing LDAP response for user vpn.test
[75840] Message (vpn.test):
[75840] Checking password policy
[75840] Authentication successful for vpn.test to x.x.40.198
[75840] now: Fri, 14 Jun 2013 14:17:43 GMT, lastset: Sun, 29 Nov 2076 08:54:34 GMT, delta=-2002646211, maxage=1244316288 secs
[75840] expire in: -126903176 secs, 48241 days
[75840] Retrieved User Attributes:
[75840]         objectClass: value = top
[75840]         objectClass: value = person
[75840]         objectClass: value = organizationalPerson
[75840]         objectClass: value = user
[75840]         cn: value = VPN Test
[75840]         sn: value = Test
[75840]         description: value = Account used to test T VPN
[75840]         givenName: value = VPN
[75840]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840]         displayName: value = VPN Test
[75840]         name: value = VPN Test
[75840]         objectGUID: value = .. ..FqC..}5WQ..
[75840]         codePage: value = 0
[75840]         countryCode: value = 0
[75840]         primaryGroupID: value = 513
[75840]         objectSid: value = ..............vt..s?..q5....
[75840]         sAMAccountName: value = vpn.test
[75840]         sAMAccountType: value = 805306368
[75840]         userPrincipalName: value = vpn.test@.net
[75840]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75840] Fiber exit Tx=736 bytes Rx=1790 bytes, status=1
[75840] Session End

[75841] Session Start
[75841] New request Session, context 0x00007ffe54aae250, reqType = Other
[75841] Fiber started
[75841] Creating LDAP context with uri=ldap://..40.198:389
[75841] Connect to LDAP server: ldap://.1.40.198:389, status = Successful
[75841] supportedLDAPVersion: value = 3
[75841] supportedLDAPVersion: value = 2
[75841] Binding as ASA Teleworker
[75841] Performing Simple authentication for ASA Teleworker to 165.184.40.198
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] User DN = [CN=VPN Test,OU=Test Accounts,
OU=Users,OU=Resources,DC=t,DC=net]
[75841] Talking to Active Directory server ..40.198
[75841] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] Retrieved User Attributes:
[75841]         objectClass: value = top
[75841]         objectClass: value = person
[75841]         objectClass: value = organizationalPerson
[75841]         objectClass: value = user
[75841]         cn: value = VPN Test
[75841]         sn: value = Test
[75841]         description: value = Account used to test T VPN
[75841]         givenName: value = VPN
[75841]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=tx,DC=net
[75841]         displayName: value = VPN Test
[75841]         name: value = VPN Test
[75841]         objectGUID: value = .. ..FqC..}5WQ..
[75841]         codePage: value = 0
[75841]         countryCode: value = 0
[75841]         primaryGroupID: value = 513
[75841]         objectSid: value = ..............vt..s?..q5....
[75841]         sAMAccountName: value = vpn.test
[75841]         sAMAccountType: value = 805306368
[75841]         userPrincipalName: value = vpn.test@ts.net
[75841]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75841] Fiber exit Tx=741 bytes Rx=2646 bytes, status=1
0
 

Author Comment

by:Thomas N
ID: 39257085
Here is the ASA logs and there is not attribute for memberof pulling up
0
 

Author Comment

by:Thomas N
ID: 39257235
Basically the Cisco VPN is not pulling the "memberof" information from our AD Ldap. So its not reading the security groups. Is there something in AD I need to check or turn on to do this?
0
 
LVL 32

Accepted Solution

by:
Rodney Barnhardt earned 500 total points
ID: 39259991
"Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy."

You probably need to create the mapping since your users are more than likely members of various groups. Since from looking at the log you attached, I did not see any "member of" reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now