2023年6月21日发(作者:)

ASA 8.0: Configure LDAP Authentication forWebVPN UsersDocument ID: 98625IntroductionPrerequisitesBackground InformationConfigure LDAP Authentication ASDM Command Line Interface Perform Multi−Domain Searches (Optional)Verify Test with ASDM Test with CLITroubleshootNetPro Discussion Forums − Featured ConversationsRelated InformationIntroductionThis document demonstrates how to configure the Cisco Adaptive Security Appliance (ASA) to use an LDAPserver for authentication of WebVPN users. The LDAP server in this example is Microsoft Active configuration is performed with Adaptive Security Device Manager (ASDM) 6.0(2) on an ASA that runssoftware version 8.0(2).Note: In this example Lightweight Directory Access Protocol (LDAP) authentication is configured forWebVPN users, but this configuration can be used for all other types of remote access clients as well. Simplyassign the AAA server group to the desired connection profile (tunnel group), as uisitesA basic VPN configuration is required. In this example WebVPN is ound InformationIn this example, the ASA checks with an LDAP server in order to verify the identity of users that itauthenticates. This process does not work like a traditional Remote Authentication Dial−In User Service(RADIUS) or Terminal Access Controller Access−Control System Plus (TACACS+) exhange. These stepsexplain, at a high level, how the ASA uses an LDAP server in order to check user credentials.1. The user initiates a connection to the ASA.2. The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAPserver.3. The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this case),and looks up the provided username. The admin user also obtains the appropriate credentials to listcontents within Active Directory. Refer to /?id=320528 for moreinformation about how to grant LDAP query : The Microsoft website at /?id=320528 is managed by a third partyprovider. Cisco is not responsible for its content.4. If the username is found, the ASA attempts to bind to the LDAP server with the credentials that theuser provided at login.5. If the second bind is successful, authentication succeeds and the the ASA processes the attributes ofthe : In this example the attributes are not used for anything. Refer to ASA/PIX: Mapping VPNClients to VPN Group Policies Through LDAP Configuration Example in order to see an example ofhow the ASA can process LDAP ure LDAP AuthenticationIn this section, you are presented with the information to configure the ASA to use an LDAP server for theauthentication of WebVPN mplete these steps in the ASDM in order to configure the ASA to communicate with the LDAP server andauthenticate WebVPN clients.1. Navigate to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.2. Click Add next to AAA Server Groups3. Specify a name for the new AAA Server group, and choose LDAP as the protocol.4. Be sure that your new group is selected in the top pane, and click Add next to the Servers in theSelected Group pane.5. Provide the configuration information for your LDAP server. The subsequent screenshot illustrates anexample configuration. This is an explanation of many of the configuration options:♦ Interface Namethe interface that the ASA uses in order to reach the LDAP server♦ Server Name or IP addressthe address that the ASA uses in order to reach the LDAPserver♦ Server Typethe type of LDAP server, such as Microsoft♦ Base DNthe location in the LDAP hierarchy where the server must begin to search♦ Scopethe extent of the search in the LDAP hierarchy that the server must make♦ Naming Attributethe Relative Distinguished Name attribute (or attributes) that uniquelyidentifies an entry on the LDAP server. sAMAccountName is the default attribute in theMicrosoft Active Directory. Other commonly used attributes are CN, UID, anduserPrincipalName.♦ Login DNthe DN with enough privileges in order to be able to search/lread/lookup users inthe LDAP server♦ Login Passwordthe password for the DN account♦ LDAP Attribute Mapan LDAP attribute map to be used with responses from this to ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAPConfiguration Example for more information on how to configure LDAP attribute maps.6. Once you have configured the AAA server group and added a server to it, it is necessary to configureyour connection profile (tunnel group) to use the new AAA configuration. Navigate to Configuration> Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.7. Choose the connection profile (tunnel group) for which you want to configure AAA, and click Edit8. Under Authentication, choose the LDAP server group that you created d Line InterfaceComplete these steps in the command line interface (CLI) in order to configure the ASA to communicate withthe LDAP server and authenticate WebVPN sa#configure terminal!−−− Configure the AAA Server sa(config)#aaa−server LDAP_SRV_GRP protocol ldap!−−− Configure the AAA sa(config−aaa−server−group)#aaa−server LDAP_SRV_GRP (inside)

host 192.168.1.2ciscoasa(config−aaa−server−host)#ldap−base−dn dc=ftwsecurity, dc=cisco, dc=comciscoasa(config−aaa−server−host)#ldap−login−dn cn=admin, cn=users, dc=ftwsecurity, dc=ciscociscoasa(config−aaa−server−host)#ldap−login−password **********ciscoasa(config−aaa−server−host)#ldap−naming−attribute sAMAccountNameciscoasa(config−aaa−server−host)#ldap−scope subtreeciscoasa(config−aaa−server−host)#server−type microsoftciscoasa(config−aaa−server−host)#exit!−−− Configure the tunnel group to use the new AAA sa(config)#tunnel−group ExampleGroup2 general−attciscoasa(config−tunnel−general)#authentication−server−group LDAP_SRV_GRPPerform Multi−Domain Searches (Optional)Optional. The ASA currently does not support the LDAP referal mechanism for multi−domain searches(Cisco bug ID CSCsj32153). Multi−domain searches are supported with the AD in Global Catalog Servermode. In order to perform multi−domain searches, setup up the AD server for Global Catalog Server mode,usually with the these key parameters for the LDAP server entry in the ASA. The key is to use anldap−name−attribute that must be unique across the directory −port 3268ldap−scope subtreeldap−naming−attribute userPrincipalNameVerifyUse this section in order to confirm that your configuration works with ASDMVerify your LDAP configuration with the Test button on the AAA Server Groups configuration screen. Onceyou supply a username and password, this button allows you to send a test authentication request to the LDAPserver.1. Navigate to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.2. Select your desired AAA Server group in the top pane.3. Select the AAA server that you want to test in the lower pane.4. Click the Test button to the right of the lower pane.5. In the window that appears, click the Authentication radio button, and supply the credentials withwhich you want to test. Click OK when finished.6. After the ASA contacts the LDAP server, a success or failure message with CLIYou can use the test command on the command line in order to test your AAA setup. A test request is sent tothe AAA server, and the result appears on the command sa#test aaa−server authentication LDAP_SRV_GRP host 192.168.1.2 username kate password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)INFO: Authentication SuccessfulTroubleshootIf unsure of the current DN string to use, you can issue the dsquery command on a Windows ActiveDriectory server from a command prompt in order to verify the appropriate DN String of a user object.C:Documents and SettingsAdministrator>dsquery user −samid kate!−−− Queries Active Directory for samid id "kate""CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"The debug ldap 255 command can help to troubleshoot authentication problems in this scenario. Thiscommand enables LDAP debugging and allows you to watch the process that the ASA uses to connect to theLDAP server. This outputs show the ASA connect to the LDAP server as outlined in the BackgroundInformation section of this debug shows a successful authentication:ciscoasa#debug ldap 255[7] Session Start[7] New request Session, context 0xd4b11730, reqType = 1[7] Fiber started[7] Creating LDAP context with uri=ldap://192.168.1.2:389[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[7] supportedLDAPVersion: value = 3[7] supportedLDAPVersion: value = 2[7] supportedSASLMechanisms: value = GSSAPI[7] supportedSASLMechanisms: value = GSS−SPNEGO[7] supportedSASLMechanisms: value = EXTERNAL[7] supportedSASLMechanisms: value = DIGEST−MD5!−−− The ASA connects to the LDAP server as admin to search for kate.[7] Binding as administrator[7] Performing Simple authentication for admin to 192.168.1.2[7] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=kate] Scope = [SUBTREE][7] User DN = [CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2[7] Reading password policy for kate, dn:CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[7] Read bad password count 1!−−− The ASA binds to the LDAP server as kate to test the password.[7] Binding as user[7] Performing Simple authentication for kate to 192.168.1.2[7] Checking password policy for user kate[7] Binding as administrator[7] Performing Simple authentication for admin to 192.168.1.2[7] Authentication successful for kate to 192.168.1.2[7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:[7] objectClass: value = top[7] objectClass: value = person[7] objectClass: value = organizationalPerson[7] objectClass: value = user[7] cn: value = Kate Austen[7] sn: value = Austen[7] givenName: value = Kate[7] distinguishedName: value = CN=Kate Austen,CN=Users,DC=ftwsecurity, DC=cisco,DC=com[7] instanceType: value = 4[7] whenCreated: value = 24.0Z[7] whenChanged: value = 23.0Z[7] displayName: value = Kate Austen[7] uSNCreated: value = 16430[7] memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com[7] memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com[7] uSNChanged: value = 20500[7] name: value = Kate Austen[7] objectGUID: value = ..z...[7] userAccountControl: value = 66048[7] badPwdCount: value = 1[7] codePage: value = 0[7] countryCode: value = 0[7] badPasswordTime: value = 0937500[7] lastLogoff: value = 0[7] lastLogon: value = 0468750[7] pwdLastSet: value = 2656250[7] primaryGroupID: value = 513[7] objectSid: value = ............Q..p..*.p?[7] accountExpires: value = 9223372[7] logonCount: value = 0[7] sAMAccountName: value = kate[7] sAMAccountType: value = 805306368[7] userPrincipalName: value = kate@[7] objectCategory: value = CN=Person,CN=Schema,CN=Configuration, DC=ftwsecurity,DC=cisco,DC=com[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 16.0Z[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1[7] Session EndThis debug shows an authentication that fails due to an incorrect password:ciscoasa#debug ldap 255[8] Session Start[8] New request Session, context 0xd4b11730, reqType = 1[8] Fiber started[8] Creating LDAP context with uri=ldap://192.168.1.2:389[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[8] supportedLDAPVersion: value = 3[8] supportedLDAPVersion: value = 2[8] supportedSASLMechanisms: value = GSSAPI[8] supportedSASLMechanisms: value = GSS−SPNEGO[8] supportedSASLMechanisms: value = EXTERNAL[8] supportedSASLMechanisms: value = DIGEST−MD5!−−− The ASA connects to the LDAP server as admin to search for kate.[8] Binding as administrator[8] Performing Simple authentication for admin to 192.168.1.2[8] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=kate] Scope = [SUBTREE][8] User DN = [CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2[8] Reading password policy for kate, dn:CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[8] Read bad password count 1!−−− The ASA attempts to bind as kate, but the password is incorrect.[8] Binding as user[8] Performing Simple authentication for kate to 192.168.1.2[8] Simple authentication for kate returned code (49) Invalid credentials[8] Binding as administrator[8] Performing Simple authentication for admin to 192.168.1.2[8] Reading bad password count for kate, dn: CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[8] Received badPwdCount=1 for user kate[8] badPwdCount=1 before, badPwdCount=1 after for kate[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT, delta=1122041, maxage=3710851 secs[8] Invalid password for kate[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=−1[8] Session EndThis debug shows an authentication that fails because the user can not be found on the LDAP server:ciscoasa#debug ldap 255[9] Session Start[9] New request Session, context 0xd4b11730, reqType = 1[9] Fiber started[9] Creating LDAP context with uri=ldap://192.168.1.2:389[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[9] supportedLDAPVersion: value = 3[9] supportedLDAPVersion: value = 2[9] supportedSASLMechanisms: value = GSSAPI[9] supportedSASLMechanisms: value = GSS−SPNEGO[9] supportedSASLMechanisms: value = EXTERNAL[9] supportedSASLMechanisms: value = DIGEST−MD5!−−− The user mikhail is not found.[9] Binding as administrator[9] Performing Simple authentication for admin to 192.168.1.2[9] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=mikhail] Scope = [SUBTREE][9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=−1[9] Session EndNetPro Discussion Forums − Featured ConversationsNetworking Professionals Connection is a forum for networking professionals to share questions, suggestions,and information about networking solutions, products, and technologies. The featured links are some of themost recent conversations available in this Discussion Forums − Featured Conversations for SecuritySecurity: Intrusion Detection [Systems]Security: AAASecurity: GeneralSecurity: FirewallingRelated Information• Technical Support & Documentation − Cisco SystemsAll contents are Copyright © 2006−2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy d: Sep 24, 2007Document ID: 98625

2023年6月21日发(作者:)

ASA 8.0: Configure LDAP Authentication forWebVPN UsersDocument ID: 98625IntroductionPrerequisitesBackground InformationConfigure LDAP Authentication ASDM Command Line Interface Perform Multi−Domain Searches (Optional)Verify Test with ASDM Test with CLITroubleshootNetPro Discussion Forums − Featured ConversationsRelated InformationIntroductionThis document demonstrates how to configure the Cisco Adaptive Security Appliance (ASA) to use an LDAPserver for authentication of WebVPN users. The LDAP server in this example is Microsoft Active configuration is performed with Adaptive Security Device Manager (ASDM) 6.0(2) on an ASA that runssoftware version 8.0(2).Note: In this example Lightweight Directory Access Protocol (LDAP) authentication is configured forWebVPN users, but this configuration can be used for all other types of remote access clients as well. Simplyassign the AAA server group to the desired connection profile (tunnel group), as uisitesA basic VPN configuration is required. In this example WebVPN is ound InformationIn this example, the ASA checks with an LDAP server in order to verify the identity of users that itauthenticates. This process does not work like a traditional Remote Authentication Dial−In User Service(RADIUS) or Terminal Access Controller Access−Control System Plus (TACACS+) exhange. These stepsexplain, at a high level, how the ASA uses an LDAP server in order to check user credentials.1. The user initiates a connection to the ASA.2. The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAPserver.3. The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this case),and looks up the provided username. The admin user also obtains the appropriate credentials to listcontents within Active Directory. Refer to /?id=320528 for moreinformation about how to grant LDAP query : The Microsoft website at /?id=320528 is managed by a third partyprovider. Cisco is not responsible for its content.4. If the username is found, the ASA attempts to bind to the LDAP server with the credentials that theuser provided at login.5. If the second bind is successful, authentication succeeds and the the ASA processes the attributes ofthe : In this example the attributes are not used for anything. Refer to ASA/PIX: Mapping VPNClients to VPN Group Policies Through LDAP Configuration Example in order to see an example ofhow the ASA can process LDAP ure LDAP AuthenticationIn this section, you are presented with the information to configure the ASA to use an LDAP server for theauthentication of WebVPN mplete these steps in the ASDM in order to configure the ASA to communicate with the LDAP server andauthenticate WebVPN clients.1. Navigate to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.2. Click Add next to AAA Server Groups3. Specify a name for the new AAA Server group, and choose LDAP as the protocol.4. Be sure that your new group is selected in the top pane, and click Add next to the Servers in theSelected Group pane.5. Provide the configuration information for your LDAP server. The subsequent screenshot illustrates anexample configuration. This is an explanation of many of the configuration options:♦ Interface Namethe interface that the ASA uses in order to reach the LDAP server♦ Server Name or IP addressthe address that the ASA uses in order to reach the LDAPserver♦ Server Typethe type of LDAP server, such as Microsoft♦ Base DNthe location in the LDAP hierarchy where the server must begin to search♦ Scopethe extent of the search in the LDAP hierarchy that the server must make♦ Naming Attributethe Relative Distinguished Name attribute (or attributes) that uniquelyidentifies an entry on the LDAP server. sAMAccountName is the default attribute in theMicrosoft Active Directory. Other commonly used attributes are CN, UID, anduserPrincipalName.♦ Login DNthe DN with enough privileges in order to be able to search/lread/lookup users inthe LDAP server♦ Login Passwordthe password for the DN account♦ LDAP Attribute Mapan LDAP attribute map to be used with responses from this to ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAPConfiguration Example for more information on how to configure LDAP attribute maps.6. Once you have configured the AAA server group and added a server to it, it is necessary to configureyour connection profile (tunnel group) to use the new AAA configuration. Navigate to Configuration> Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.7. Choose the connection profile (tunnel group) for which you want to configure AAA, and click Edit8. Under Authentication, choose the LDAP server group that you created d Line InterfaceComplete these steps in the command line interface (CLI) in order to configure the ASA to communicate withthe LDAP server and authenticate WebVPN sa#configure terminal!−−− Configure the AAA Server sa(config)#aaa−server LDAP_SRV_GRP protocol ldap!−−− Configure the AAA sa(config−aaa−server−group)#aaa−server LDAP_SRV_GRP (inside)

host 192.168.1.2ciscoasa(config−aaa−server−host)#ldap−base−dn dc=ftwsecurity, dc=cisco, dc=comciscoasa(config−aaa−server−host)#ldap−login−dn cn=admin, cn=users, dc=ftwsecurity, dc=ciscociscoasa(config−aaa−server−host)#ldap−login−password **********ciscoasa(config−aaa−server−host)#ldap−naming−attribute sAMAccountNameciscoasa(config−aaa−server−host)#ldap−scope subtreeciscoasa(config−aaa−server−host)#server−type microsoftciscoasa(config−aaa−server−host)#exit!−−− Configure the tunnel group to use the new AAA sa(config)#tunnel−group ExampleGroup2 general−attciscoasa(config−tunnel−general)#authentication−server−group LDAP_SRV_GRPPerform Multi−Domain Searches (Optional)Optional. The ASA currently does not support the LDAP referal mechanism for multi−domain searches(Cisco bug ID CSCsj32153). Multi−domain searches are supported with the AD in Global Catalog Servermode. In order to perform multi−domain searches, setup up the AD server for Global Catalog Server mode,usually with the these key parameters for the LDAP server entry in the ASA. The key is to use anldap−name−attribute that must be unique across the directory −port 3268ldap−scope subtreeldap−naming−attribute userPrincipalNameVerifyUse this section in order to confirm that your configuration works with ASDMVerify your LDAP configuration with the Test button on the AAA Server Groups configuration screen. Onceyou supply a username and password, this button allows you to send a test authentication request to the LDAPserver.1. Navigate to Configuration > Remote Access VPN > AAA Setup > AAA Server Groups.2. Select your desired AAA Server group in the top pane.3. Select the AAA server that you want to test in the lower pane.4. Click the Test button to the right of the lower pane.5. In the window that appears, click the Authentication radio button, and supply the credentials withwhich you want to test. Click OK when finished.6. After the ASA contacts the LDAP server, a success or failure message with CLIYou can use the test command on the command line in order to test your AAA setup. A test request is sent tothe AAA server, and the result appears on the command sa#test aaa−server authentication LDAP_SRV_GRP host 192.168.1.2 username kate password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)INFO: Authentication SuccessfulTroubleshootIf unsure of the current DN string to use, you can issue the dsquery command on a Windows ActiveDriectory server from a command prompt in order to verify the appropriate DN String of a user object.C:Documents and SettingsAdministrator>dsquery user −samid kate!−−− Queries Active Directory for samid id "kate""CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"The debug ldap 255 command can help to troubleshoot authentication problems in this scenario. Thiscommand enables LDAP debugging and allows you to watch the process that the ASA uses to connect to theLDAP server. This outputs show the ASA connect to the LDAP server as outlined in the BackgroundInformation section of this debug shows a successful authentication:ciscoasa#debug ldap 255[7] Session Start[7] New request Session, context 0xd4b11730, reqType = 1[7] Fiber started[7] Creating LDAP context with uri=ldap://192.168.1.2:389[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[7] supportedLDAPVersion: value = 3[7] supportedLDAPVersion: value = 2[7] supportedSASLMechanisms: value = GSSAPI[7] supportedSASLMechanisms: value = GSS−SPNEGO[7] supportedSASLMechanisms: value = EXTERNAL[7] supportedSASLMechanisms: value = DIGEST−MD5!−−− The ASA connects to the LDAP server as admin to search for kate.[7] Binding as administrator[7] Performing Simple authentication for admin to 192.168.1.2[7] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=kate] Scope = [SUBTREE][7] User DN = [CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2[7] Reading password policy for kate, dn:CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[7] Read bad password count 1!−−− The ASA binds to the LDAP server as kate to test the password.[7] Binding as user[7] Performing Simple authentication for kate to 192.168.1.2[7] Checking password policy for user kate[7] Binding as administrator[7] Performing Simple authentication for admin to 192.168.1.2[7] Authentication successful for kate to 192.168.1.2[7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:[7] objectClass: value = top[7] objectClass: value = person[7] objectClass: value = organizationalPerson[7] objectClass: value = user[7] cn: value = Kate Austen[7] sn: value = Austen[7] givenName: value = Kate[7] distinguishedName: value = CN=Kate Austen,CN=Users,DC=ftwsecurity, DC=cisco,DC=com[7] instanceType: value = 4[7] whenCreated: value = 24.0Z[7] whenChanged: value = 23.0Z[7] displayName: value = Kate Austen[7] uSNCreated: value = 16430[7] memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com[7] memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com[7] uSNChanged: value = 20500[7] name: value = Kate Austen[7] objectGUID: value = ..z...[7] userAccountControl: value = 66048[7] badPwdCount: value = 1[7] codePage: value = 0[7] countryCode: value = 0[7] badPasswordTime: value = 0937500[7] lastLogoff: value = 0[7] lastLogon: value = 0468750[7] pwdLastSet: value = 2656250[7] primaryGroupID: value = 513[7] objectSid: value = ............Q..p..*.p?[7] accountExpires: value = 9223372[7] logonCount: value = 0[7] sAMAccountName: value = kate[7] sAMAccountType: value = 805306368[7] userPrincipalName: value = kate@[7] objectCategory: value = CN=Person,CN=Schema,CN=Configuration, DC=ftwsecurity,DC=cisco,DC=com[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 27.0Z[7] dSCorePropagationData: value = 16.0Z[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1[7] Session EndThis debug shows an authentication that fails due to an incorrect password:ciscoasa#debug ldap 255[8] Session Start[8] New request Session, context 0xd4b11730, reqType = 1[8] Fiber started[8] Creating LDAP context with uri=ldap://192.168.1.2:389[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[8] supportedLDAPVersion: value = 3[8] supportedLDAPVersion: value = 2[8] supportedSASLMechanisms: value = GSSAPI[8] supportedSASLMechanisms: value = GSS−SPNEGO[8] supportedSASLMechanisms: value = EXTERNAL[8] supportedSASLMechanisms: value = DIGEST−MD5!−−− The ASA connects to the LDAP server as admin to search for kate.[8] Binding as administrator[8] Performing Simple authentication for admin to 192.168.1.2[8] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=kate] Scope = [SUBTREE][8] User DN = [CN=Kate Austen,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2[8] Reading password policy for kate, dn:CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[8] Read bad password count 1!−−− The ASA attempts to bind as kate, but the password is incorrect.[8] Binding as user[8] Performing Simple authentication for kate to 192.168.1.2[8] Simple authentication for kate returned code (49) Invalid credentials[8] Binding as administrator[8] Performing Simple authentication for admin to 192.168.1.2[8] Reading bad password count for kate, dn: CN=Kate Austen,CN=Users, DC=ftwsecurity,DC=cisco,DC=com[8] Received badPwdCount=1 for user kate[8] badPwdCount=1 before, badPwdCount=1 after for kate[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT, delta=1122041, maxage=3710851 secs[8] Invalid password for kate[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=−1[8] Session EndThis debug shows an authentication that fails because the user can not be found on the LDAP server:ciscoasa#debug ldap 255[9] Session Start[9] New request Session, context 0xd4b11730, reqType = 1[9] Fiber started[9] Creating LDAP context with uri=ldap://192.168.1.2:389[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com[9] supportedLDAPVersion: value = 3[9] supportedLDAPVersion: value = 2[9] supportedSASLMechanisms: value = GSSAPI[9] supportedSASLMechanisms: value = GSS−SPNEGO[9] supportedSASLMechanisms: value = EXTERNAL[9] supportedSASLMechanisms: value = DIGEST−MD5!−−− The user mikhail is not found.[9] Binding as administrator[9] Performing Simple authentication for admin to 192.168.1.2[9] LDAP Search: Base DN = [dc=ftwsecurity, dc=cisco, dc=com] Filter = [sAMAccountName=mikhail] Scope = [SUBTREE][9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=−1[9] Session EndNetPro Discussion Forums − Featured ConversationsNetworking Professionals Connection is a forum for networking professionals to share questions, suggestions,and information about networking solutions, products, and technologies. The featured links are some of themost recent conversations available in this Discussion Forums − Featured Conversations for SecuritySecurity: Intrusion Detection [Systems]Security: AAASecurity: GeneralSecurity: FirewallingRelated Information• Technical Support & Documentation − Cisco SystemsAll contents are Copyright © 2006−2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy d: Sep 24, 2007Document ID: 98625