Solved: Re: LDAP Authentication on router vty login

aliverlex · ‎06-09-2013

I'm trying to deploy ldap authentication (MS AD) for router vty login. I used manual like this - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html

But my scenario was unlucky

My config is...

_____

aaa new-model

!

aaa group server ldap ad1

server test

!

aaa authentication login default group ad1 local

aaa authorization exec default if-authenticated

!

skip...

!

ldap attribute-map map1

map type sAMAccountName username

!

ldap server test

ipv4 172.16.107.145

attribute map map1

timeout retransmit 20

bind authenticate root-dn CN=Administrator,CN=users,DC=fabrikam,dc=com password 7 02050D480809

base-dn CN=users,DC=fabrikam,dc=com

_____

instead of "ldap attribute-map map1" I tried to use "search-filter user-object-type name". No effect

I used wireshark to sniffer packets from cisco to AD. No packets to AD port (389 or 3268) have been captured.

I used debug ldap all

That's output

*Jun 9 19:38:45.414: LDAP: LDAP: Queuing AAA request 117 for processing

*Jun 9 19:38:45.414: LDAP: Received queue event, new AAA request

*Jun 9 19:38:45.414: LDAP: LDAP authentication request

*Jun 9 19:38:45.414: LDAP: No attributes to check username sanity

*Jun 9 19:38:45.414: LDAP: Username/Password sanity check failed!!

*Jun 9 19:38:45.414: LDAP: LDAP doesn't suport interactive login

Note last string. Is it mean that I cannot use ldap for this purpose?

What I do wrong?

Thank's!

Jatin Katyal · ‎06-10-2013

LDAP support on IOS is limited to VPN authentication and unfortunately, cannot be used for Admin (exec) authentication.

CSCug65194 Document LDAP nonsupport for login authentication

AAA does not support using an LDAP method for interactive login authentication. Customers may configure "aaa authentication login default group ldap", but when an interactive (terminal) session tries to authenticate using LDAP, the

following message is syslogged:

"LDAP: LDAP doesn't support [sic] interactive login"

This is due to the following check in ldap_authen_req() aaa/ldap/src/ldap_main.c:

if (intf && intf->tty) {

LDAP_EVENT("LDAP doesn't suport interactive login");

ldap_method_failover(proto_req);

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎06-09-2013

could you provide the o/p of

show ldap server all

Also, where did you take captures?

Have you tried checking the connction with softerra browser?

Jatin Katyal
- Do rate helpful posts -

~Jatin

aliverlex · ‎06-10-2013

Jatin, thanks for answer.

That's output of

show ldap server all

Server Information for test

================================

Server name :test

Server IP :172.16.107.145

Server listening Port :389

Bind Root-dn :CN=Administrator,CN=users,DC=fabrikam,dc=com

Server mode :Non-Secure

Cipher Suite :0x00

Authentication Seq :Search first. Then Bind/Compare password next

Authentication Procedure:Bind with user password

Base-Dn :CN=users,DC=fabrikam,dc=com

Attribute map :map1

Request timeout :20

---------------------------------

* LDAP STATISTICS *

Total messages [Sent:0, Received:0]

Response delay(ms) [Average:0, Maximum:0]

Total search [Request:0, ResultEntry:0, ResultDone:0]

Total bind [Request:0, Response:0]

Total extended [Request:0, Response:0]

Total compare [Request:0, Response:0]

Search [Success:0, Failures:0]

Bind [Success:0, Failures:0]

Missing attrs in Entry [0]

----------------------------------

No. of active connections

Captures I did on MS AD (LDAP) server 172.16.107.145

via ldap browser I haven't tried, but It's next step for troubleshooting.

as I said in previous message there aren't any packets from cisco to LDAP server. Why?

Jatin Katyal · ‎06-10-2013

Are you able to ping the LDAP server? Also, could you please try the below listed commend from the router:

telnet 172.16.107.145 389

We need to install ldap browser and see if that can connect.

Jatin Katyal
- Do rate helpful posts -

~Jatin

aliverlex · ‎06-10-2013

R1-nord#telnet 172.16.107.145 389

Trying 172.16.107.145, 389 ... Open

^]

[Connection to 172.16.107.145 closed by foreign host]

R1-nord#

Ping, also, successful.

Why do we need ldap browser? I can install it and test connection, but I think result will be the same - OK.

So as can we see there aren't any problem with network connection between server and router

Problem is router not send request to server. And it's not clear for me.

Jatin Katyal · ‎06-10-2013

LDAP support on IOS is limited to VPN authentication and unfortunately, cannot be used for Admin (exec) authentication.

CSCug65194 Document LDAP nonsupport for login authentication

AAA does not support using an LDAP method for interactive login authentication. Customers may configure "aaa authentication login default group ldap", but when an interactive (terminal) session tries to authenticate using LDAP, the

following message is syslogged:

"LDAP: LDAP doesn't support [sic] interactive login"

This is due to the following check in ldap_authen_req() aaa/ldap/src/ldap_main.c:

if (intf && intf->tty) {

LDAP_EVENT("LDAP doesn't suport interactive login");

ldap_method_failover(proto_req);

Jatin Katyal
- Do rate helpful posts -

~Jatin

aliverlex · ‎06-10-2013

Jatin, Thank you!

This is exactly what I was looking for

So for exec authentication if I want to use LDAP I should use radius?

syed musaib mujtaba · ‎02-27-2015

thanks

montkevin · ‎06-21-2019

Hi Jatin,

Quick question, so that means "enable login using LDAP accounts" on IOS 15M&T is not possible.

End goal is to login using LDAP.

-Regards,

Kevin Monteiro

Jatin Katyal · ‎06-11-2013

You may use tacacs or radius. With Tacacs you would have more control on user access as it also support command authorization whereas radius does't.

Jatin katyal
*Do rate helpful posts*

Sent from Cisco Technical Support Android App

~Jatin

Jatin Katyal · ‎06-13-2013

Let me know if you have any further questions.

Jatin Katyal
- Do rate helpful posts -

~Jatin

aliverlex · ‎06-13-2013

No, I have no any questions

We use radius and it suits us

Thank's a lot again.

Jatin Katyal · ‎06-13-2013

Thanks for the update. I'd appreciate if you can mark this thread as resolved so that it can be used by others for the similar issue.

Jatin Katyal
- Do rate helpful posts -

~Jatin

aliverlex · ‎06-13-2013

How to mark this thread as resolved?

I see only how to mark reply as correct and I did it for one your reply

Jatin Katyal · ‎06-13-2013

I think you already marked it.

Jatin Katyal
- Do rate helpful posts -

~Jatin