Solved

Microsoft AD Ldap question

Posted on 2013-06-18
8
469 Views
Last Modified: 2013-07-22
Hi we have a vpn that is using ldap to authenticate users but it wont work. We put our VPN users in a security group "g-web-vpn" but wont authenticate. We notice When I do a ldap query for the group attributes it has no "memberof" attribute. Is this what could be breaking it? Is this something to add in AD schema or somewhere? We are using Cisco webex vpn and mixed Windows 2003\2008 servers. Thanks.
0
Comment
Question by:Thomas N
8 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 39256898
I am guessing you just mean WebVPN, not WebEx? There is a process in integrating with LDAP. Have you configured all of these settings?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39256902
Member/Memberof (backlink) are related

Member is for groups and user object use memberof.  Florian has a good blog entry on it here

http://www.frickelsoft.net/blog/?p=130

Thanks

Mike
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 39257067
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Thomas N
ID: 39257070
Sorry if I missed something is there somewhere in AD I can make sure that the memberof can be queried? I read the article but I dont see where this helps me. I just need to make sure that the Cisco Webvpn can query the memberof groups on my Active directory. The ASA debug logs show that this attribute is not showing up.
0
 

Author Comment

by:Thomas N
ID: 39257084
----test account-----
[75840] Session Start
[75840] New request Session, context 0x00007ffe54aae250, reqType = Authentication
[75840] Fiber started
[75840] Creating LDAP context with uri=ldap://x.x.40.198:389
[75840] Connect to LDAP server: ldap://x.x.40.198:389, status = Successful
[75840] supportedLDAPVersion: value = 3
[75840] supportedLDAPVersion: value = 2
[75840] Binding as ASA Teleworker
[75840] Performing Simple authentication for ASA Teleworker to x.x.40.198
[75840] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=txaccess, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75840] User DN = [CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=x
,DC=net]
[75840] Talking to Active Directory server x.x.40.198
[75840] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840] Binding as vpn.test
[75840] Performing Simple authentication for vpn.test to 165.184.40.198
[75840] Processing LDAP response for user vpn.test
[75840] Message (vpn.test):
[75840] Checking password policy
[75840] Authentication successful for vpn.test to x.x.40.198
[75840] now: Fri, 14 Jun 2013 14:17:43 GMT, lastset: Sun, 29 Nov 2076 08:54:34 GMT, delta=-2002646211, maxage=1244316288 secs
[75840] expire in: -126903176 secs, 48241 days
[75840] Retrieved User Attributes:
[75840]         objectClass: value = top
[75840]         objectClass: value = person
[75840]         objectClass: value = organizationalPerson
[75840]         objectClass: value = user
[75840]         cn: value = VPN Test
[75840]         sn: value = Test
[75840]         description: value = Account used to test T VPN
[75840]         givenName: value = VPN
[75840]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840]         displayName: value = VPN Test
[75840]         name: value = VPN Test
[75840]         objectGUID: value = .. ..FqC..}5WQ..
[75840]         codePage: value = 0
[75840]         countryCode: value = 0
[75840]         primaryGroupID: value = 513
[75840]         objectSid: value = ..............vt..s?..q5....
[75840]         sAMAccountName: value = vpn.test
[75840]         sAMAccountType: value = 805306368
[75840]         userPrincipalName: value = vpn.test@.net
[75840]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75840] Fiber exit Tx=736 bytes Rx=1790 bytes, status=1
[75840] Session End

[75841] Session Start
[75841] New request Session, context 0x00007ffe54aae250, reqType = Other
[75841] Fiber started
[75841] Creating LDAP context with uri=ldap://..40.198:389
[75841] Connect to LDAP server: ldap://.1.40.198:389, status = Successful
[75841] supportedLDAPVersion: value = 3
[75841] supportedLDAPVersion: value = 2
[75841] Binding as ASA Teleworker
[75841] Performing Simple authentication for ASA Teleworker to 165.184.40.198
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] User DN = [CN=VPN Test,OU=Test Accounts,
OU=Users,OU=Resources,DC=t,DC=net]
[75841] Talking to Active Directory server ..40.198
[75841] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] Retrieved User Attributes:
[75841]         objectClass: value = top
[75841]         objectClass: value = person
[75841]         objectClass: value = organizationalPerson
[75841]         objectClass: value = user
[75841]         cn: value = VPN Test
[75841]         sn: value = Test
[75841]         description: value = Account used to test T VPN
[75841]         givenName: value = VPN
[75841]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=tx,DC=net
[75841]         displayName: value = VPN Test
[75841]         name: value = VPN Test
[75841]         objectGUID: value = .. ..FqC..}5WQ..
[75841]         codePage: value = 0
[75841]         countryCode: value = 0
[75841]         primaryGroupID: value = 513
[75841]         objectSid: value = ..............vt..s?..q5....
[75841]         sAMAccountName: value = vpn.test
[75841]         sAMAccountType: value = 805306368
[75841]         userPrincipalName: value = vpn.test@ts.net
[75841]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75841] Fiber exit Tx=741 bytes Rx=2646 bytes, status=1
0
 

Author Comment

by:Thomas N
ID: 39257085
Here is the ASA logs and there is not attribute for memberof pulling up
0
 

Author Comment

by:Thomas N
ID: 39257235
Basically the Cisco VPN is not pulling the "memberof" information from our AD Ldap. So its not reading the security groups. Is there something in AD I need to check or turn on to do this?
0
 
LVL 32

Accepted Solution

by:
Rodney Barnhardt earned 500 total points
ID: 39259991
"Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy."

You probably need to create the mapping since your users are more than likely members of various groups. Since from looking at the log you attached, I did not see any "member of" reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question