SSL VPN - ASA - Active Directory LDAP
Hello
Scenario: ASA 8.0 (3) running SSL VPN for remote users. LDAP also authenticates access and connect to the ASA.
For some reason any (we had a power failure, but the problem may be caused by other reasons as well), I can not connect to the ASA, as my login ID does not work, and remote users get connection error when trying to authenticate via SSL VPN web gui.
I have rebooted the ASA and AD without any change in the situation. This service worked very well before and the problem happened suddenly. No one has all the changes for the configs. Customer do not have a backup configuration. Any suggestion on what would be the best next action to solve this problem? I'm not expert on the Microsoft LDAP configuration, and if anyone knows where I can check in Microsoft windows server 2003 for the possible LDAP problem, that would be greatly appreciated.
Thank you
rdianat
the ldap bind account is just a normal user account. He didn't need even administrative permissions. If you want to use ldap for password changes he needs to password change permissions, but otherwise just a normal user account - make sure it cannot be locked in AD or the password never expires none of this things. you will see the name of the ldap account in the config of the SAA.
LDAP-login-password *.
LDAP-connection-dn *.
Tags: Cisco Security
Similar Questions
-
WLC 5508 Active Directory / LDAP integration to authenticate
Hello
I am redundant deployment WLC 5508 with 4 VLANS and 4 SSID matches it, everything works fine, now I have to do the below, then please put your valuable comments and advice.
1. I need all users authenticated with existing Active Directory/LDAP wireless
2. I create accounts invited in my ad and go to the guests, so comments should only Internet access except the company's resources
2. How can I get my VoIP VLAN for wireless phones. I want to only wireless phones to connect to VLANS voice. No internet access on VLan VoIP
Concerning
Dinesh
Hello
1. I need all users authenticated with existing Active Directory/LDAP wireless
2. I create accounts invited in my ad and go to the guests, so comments should only Internet access except the company's resources
YEARS 1 & 2 - the link below provides the example config and also the memorandum of understanding on the conditions depth, please go through the link atleast once...
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a0080a03e09.shtml
2. How can I get my VoIP VLAN for wireless phones. I want to only wireless phones to connect to VLANS voice. No internet access on VLan VoIP
YEARS - you can configure the auth required for WLAN voice and then NAT this interface VLAN so that he won't get out of the internet!
Let me know if that answers your question and please do not forget to rate traore useful messages!
Concerning
Surendra
-
Hello
I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.
Sending a link, if the scenario is possible would be appreciated.
Thank you
Mike
Yes, it is possible.
Here is the sample configuration for your reference:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml
Hope that helps.
-
Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)
Hello Cisco community support,
I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.
ISP network gateway: 10.1.10.0/24
ASA to the router network: 10.1.40.0/30
Pool DHCP VPN: 10.1.30.0/24
Network of the range: 10.1.20.0/24
Development network: 10.1.10.0/24
: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm historyCan you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?
-
Hello
I want to configure SSL VPN for mobile users on ASA 5510 I have following requirements
> What are the condition of licence on ASA 5510 VPN with Anyconnect SSL?
> VPN users have full access to the local network via ASA
> Authentication method preferred, Local or AD (LDAP)
> users use not laptops should be limited to the Clientless SSL VPN
> How to add a URL is visible to users in the Web page
> Can someone view example configuration for the above requirements
TIA
Hitesh Vinzoda
> If you need both AnyConnect and WebVPN (Clientless SSL VPN), you can buy the AnyConnect Premium license (and this is a base user license). The ASA would come with default 2 SSL VPN license.
> To have full access to the local network, you must use AnyConnect SSL VPN. Here is an example of configuration:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808efbd2.shtml
> You can authenticate to AD or Local or RADIUS, etc. By default, this would be local authentication.
> Here's some example configuration for clientless SSL VPN:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008072462a.shtml
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml
Hope that helps.
-
which product is right for the ssl vpn: asa 5505 cisco 1841 or
Hello
I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):
Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server
or
Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server
My questions are:
Should I go for ASA or 1841 router?
What options is better? and ASA will do the job?
Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.
Hello
Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.
ASDM also gives you the freedom to config box on your own based on your condition.
regds
-
Setting of Windows Active Directory LDAP in OBI
Hello
I wonder if someone has an experience of connection authentication active directory windows in BI of Oracle 11 g 11.1.1... Release. I have set up the LDAP with Microsoft AD (2003 Server) Protocol but I can connect with the main single user (who is a member of the ad group), but I can't connect through any other user in this group.
I appreciate any advice/help in this regard.Hello
Not this one.please check it you LDAP team and get thegood user and details of group objects. If you have permission you are LDAp server you find the user and group
and then just right click and select object tab here you could see * (look at the canonical name of the object) * this path of the particular user structure... also you can generate the file LDIF.txt and find you're object.
Thank you
Deva
-
Installation of Active Directory LDAP for the editor
I hope it is easy.
I have 10.3.4.1 BEEP and answers/dashboards. Answers/dashboard currently use active directory for authentication. I would like to do the same thing with BEEP.
How can I do?
Since I have now two products I have to go to a place of business?
Article links would be fine. There is nothing in the manual of the editor on LDAP or Security (really). The websites I found display a file xml with a series of parameters, but they seem to refer to an earlier version of publisher.
Should be easy points.Did you check this: http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188.pdf?
Your version is 10.1.3.4.1?
Thank you!
-
Authenticate Anyconnect VPN on Active Directory
Hello
I have a Cisco ASA5520, and that you have configured for authentication to the AD using a win2008 box running the network policy server.
In ASDM I can test the auth and it works.
In ASDM-> Device Management-> AMPS/HTTP, SSH, Telnet, access AAA I can define what auth group that I use for user authentication to activate. When I updated SSH auth using auth group that I created, it works very well... so I know that the authentication works.
Problem is, it doesn't seem to work for a user with annyconnect VPN authentication. I seem not to be able to figure out how to tell the ASA to use my ad auth group and not to the LOCAL group auth to authenticate VPN users.
Any help is greatly appreciated.
Thankx
M
Try this:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml
But you are probably landing on the defaultwebvpngroup, then change the authentication to your aaa server group it ldap/ntlm and see if the behavior changes.
By default, the SSL connectivity uses the connection by tunnel-group/DefaultWEBVPNGroup profile. If you do not use this profile/tunnel-group, you must use Group-URL or alias so that he can land on another:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808bd83d.shtml
-Jason
-
active directory (LDAP) access with PL/SQL
I'm doing using the DBMS_LDAP PL/SQL Package.
http://download.Oracle.com/docs/CD/B10501_01/network.920/a96577/dbmsldap.htm#1003287
The bind_simple function requires a user name and password.
I don't know what to spend.
I had 0 output if I use my logn to windows.
SET SERVEROUTPUT ON
declare
ldap_host VARCHAR2 (256);
ldap_port VARCHAR2 (256);
ldap_user VARCHAR2 (256);
ldap_passwd VARCHAR2 (256);
ldap_base VARCHAR2 (256);
my_message DBMS_LDAP.message;
my_attrs DBMS_LDAP.string_collection;
ma_Session dbms_ldap. SESSION;
retval PLS_INTEGER;
Start
ldap_host: = 'abc.com ';
ldap_port: = '389';
ldap_base: = "dc = abc, dc = com';"
ma_Session: = dbms_ldap.init(ldap_host,ldap_port);
DBMS_OUTPUT. Put_line (RPAD ('Ldap session', 25,' ') |) ': ' ||
RAWTOHEX (substr (my_session, 1, 8)).
'(retourné depuis init)");
-bind to the directory
retval: = DBMS_LDAP.simple_bind_s (ma_Session, ldap_user, ldap_passwd);
DBMS_OUTPUT. Put_line (RPAD ('simple_bind_s Returns', 25,' ') |) ': '
|| To_char (retval));
-publish research
end;
/I don't see where you set the variables ldap_user or ldap_passwd at all. I'm assuming that you didn't post your credentials, even if we are all friends here ;-) If you were not their definition, the binding will fail unless your LDAP allows anonymous binds.
You must define ldap_user and ldap_passwd with the values that you use to connect to the LDAP server. I don't know AD, but for the OID the ldap_user would be a LDAP, for example "cn = orcladmin' full name, not just"sleep. "
Good luck, Andy
-
Can OBIEE on UNIX OS - we use LDAP using Microsoft Active Directory for UNIX OS?
We are looking at options to run OBIEE 11 g on a UNIX server.
Can we use authentication using Microsoft Active Directory LDAP for authentication OBIEE?
Short answer: Yes.
Longer answer: Yes you can. Operating system has no influence on that. All you need is the ability to connect to LDAP, and it's pure networking.
-
Download Dell C2665dnf of addresses in Active Directory
Does anyone have this or a printer similar book download of email addresses on a Microsoft Active directory LDAP.
The manual is light on the data from the example and I have been unable to cross due to lack of connection error.
As seems to be the case with this config for web printers, there is probably the settings and other outside screens LDAP, that I did not set up correctly. Maybe
- The port settings
- Authentication system
- Kerberos,
- SSL/TLS,
Or something that I completely forgot... I'm not a complete novice to Dell printers or LDAP integration. I have validated my settings with the help of a third-party LDAP and AD Explorer apps and everything should work... but of course this isn't :-)
I tried both SSL/TLS 4 all the usual ports, authentication Kerberos and LDAP, etc. and all combinations of these options, but no progress beyond the error message from the printer in the user interface.
Screenshots or listed to a working configuration settings would be greatly appreciated.
Neil.
Thanks to ThunderGod2 to confirm that this function works really, unfortunately the recommended change did not work for me... BUT... knowing it was possible... I continued to try different options, and this is the configuration that finally worked for me.
The setup I have is a domain controller on 192.168.1.3 running Active Directory and Windows 2008 R2 (there are other domain controllers in the network, but it's one I usually authenticate on printers, and Web sites).
Go to the web interface of the printer and configure as follows...
1. menu: print server settings > print server settings > Port settings
Set the "updating address book" box to check for on and apply.
2. menu: print server settings > Security > authentication system
The value 'Authentication system settings' LDAP and apply.
3. menu: print server settings > Security > SSL/TLS
Clear the checkbox "LDAP - Communication of SSL/TLS" and apply it.
4. menu: print server settings > Security > LDAP server
Define "IP address / name of host and Port" to the IP address of you DC/AD server (in my case 192.168.1.3)
Set the port number of 389
Set the "Search directory root" at the location where your users are. In my setup, the path was something like this: OR = users, OU = FOO, DC = FOO, DC = local
It is a FOO.local domain that has an organizational unit FOO with a unit of sub - org called "Desktop users"
You can get the address of your own ad using a free tool called ADExplorer from SysInternals (Microsoft Corporation)... Link: https://technet.microsoft.com/en-us/library/bb963907.aspx the ADExplorer app you can navigate through the directory active directory in a configuration type LDAP, and once you have located the correct OU just right-click on it and select "exemplary object name.
Together: "login credentials to access LDAP server" system
Together: "Login Name" to a user valid for authentication, you may need to add the field as a suffix, for instance [email protected] for the user joe in my example
Together: "Password" and "re-enter Password" password of the user for authentication.
Together: "Address book server" check on... then apply and restart the printer.
Leave all other LDAP or LDAP mapping to the default settings and you should be good to go. My setup allows me to use the no-SSL/TLS connection on port 389, this can be checked with ADExplorer or other tools of the LDAP Explorer free on the web.
-
Integration of EBS 11i with Microsoft Active Directory
Hi all
Please suggest how can I integrate EBS 11i with Microsoft Active Directory (LDAP), since we have regiterd SSO.
Thank you.Please see these documents.
Integration of Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [261914.1 ID]
Installation of Oracle Application Server 10 g with Oracle E-Business Suite Release 11i [ID 233436.1]
Oracle Application Server with Oracle E-Business Suite Release 11i FAQ [ID 186981.1]
Oracle Application Server 10g with Oracle E-Business Suite Release 11i troubleshooting [ID 295606.1]Thank you
Hussein -
Oracle DB not Windows and MS Active Directory
Question:
How can we configure a Microsoft Active Directory (LDAP compatible directory
Service) with an Oracle database if the database is hosted on a unix Server
without the need of the Oracle LDAP? Is this possible? If so, please explain.If you do not have OIDS that can be synchronized with the AD, but want to integrate with AD, then the way to go is OVD.
You will find lots of information in this white paper. Majors scenarios are described.http://www.Oracle.com/technology/products/OID/PDF/dirsrv_eus_integration.PDF
HTH
Chris -
ASA 5520 Active standby and ssl vpn loadbalancing
I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?
N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.
Maybe you are looking for
-
Hello Before buying the new iphone 7 or 7 and I want to know that the two devices have face time or not? Thank you
-
"Insert system disk" message at boot Portege M700
Hi all my friend give me his old toshiba Portege M700 and I have a problem with it. When he starts just shows toshiba logo and then it "Please insert system disk and press any key when ready. I do not have any disk where can I download the iso and th
-
Satellite Pro 4600: No sound
I can't hear any sound out of my Satellite Pro 4600. No internal speaker, my earpiece. According to Windows, everything works fine. Volume is not equal to zero. Sound is not attenuated. What can be wrong?
-
Grandsons HP Pavilion just out of guarantee does not just keeps turning.
Typical just out of warranty. only failure was that did all the test on the Bios OLU2JM - 6MG 788 - MFPWXG - 61U403 and gave a number of product E3B42PA #ABG The laptop started to take a while to load, and then more than a week got slower until in th
-
Backup failed with the message: the directory is corrupted and unreadable (Ox80070570)