Wireless Access

We are running into some weird issues trying to use LDAP authentication on our controller.  Watching the logs, it is binding successfully, but as soon as we try to do a AAA test, or try a query-user, it timeouts, unbinds, and never successfully rebinds.  Below is the log with the initial conection and the test.

 

We are running 6.4.2.10 on our controller.

 

Oct 27 17:29:54 :124004:  <DBUG> |authmgr|  group "ldap_server" instance "AD-Intra" changed ..2.........
Oct 27 17:29:54 :109011:  <INFO> |authmgr|  LDAP Server AD-Intra: Binding Admin to server
Oct 27 17:29:54 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Sent Bind request to server
Oct 27 17:29:54 :109012:  <NOTI> |authmgr|  LDAP Server AD-Intra: Admin Bound successfully
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  Auth server 'AD-Intra' response=2
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  server_cbh (462)(DEC) : os_auths 0, s AD-Intra type 3  inservice 0 markedD 0 sg_name 
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  Select server for method=, user=marshgbsd, essid=<>, server-group=, last_srv AD-Intra
Oct 27 17:30:20 :199802:  <ERRS> |authmgr|  server_group.c, ncfg_server_getnext:382: Unknown or empty server group "" (method=, user=marshgbsd)
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Server down callback.
Oct 27 17:30:20 :109013:  <WARN> |authmgr|  LDAP Server AD-Intra: Connectivity lost to the Server, trying to re-establish
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  LDAP: ldap_client_server_down_cb/1171 setting server AD-Intra out of service
Oct 27 17:30:20 :109017:  <INFO> |authmgr|  LDAP Server AD-Intra: Setting Server Out of Service
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  LDAP unbind: ldap_client_set_out_of_service
Oct 27 17:30:20 :109018:  <INFO> |authmgr|  LDAP Server AD-Intra: Unbinding Admin Context from the server
Oct 27 17:30:20 :109019:  <INFO> |authmgr|  LDAP Server AD-Intra: Unbinding User Context from the server
Oct 27 17:30:20 :109015:  <INFO> |authmgr|  LDAP Server AD-Intra: Starting Timer to rebind to server in 1500 ms
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Timer handler to bind to server
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: initializing LDAP structure for host:ldap-server-ip sslport:636
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Initializing TLS Options
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: preferred connection type 1
Oct 27 17:30:20 :109007:  <INFO> |authmgr|  LDAP Server AD-Intra: Admin - LDAPS connection established successfully to port 636
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Setting ASYNC callback option
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Setting timeout to 5 seconds 
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Initialization completed succssfully
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Setting server-down callback
Oct 27 17:30:20 :109001:  <DBUG> |authmgr|  LDAP Server AD-Intra: Initialization completed successfully
Oct 27 17:30:20 :109011:  <INFO> |authmgr|  LDAP Server AD-Intra: Binding Admin to server
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Sent Bind request to server
Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: Server down callback.
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  LDAP: ldap_client_server_down_cb/1171 setting server AD-Intra out of service
Oct 27 17:30:20 :109017:  <INFO> |authmgr|  LDAP Server AD-Intra: Setting Server Out of Service
Oct 27 17:30:20 :124004:  <DBUG> |authmgr|  LDAP unbind: ldap_client_set_out_of_service
Oct 27 17:30:20 :109018:  <INFO> |authmgr|  LDAP Server AD-Intra: Unbinding Admin Context from the server
Oct 27 17:30:20 :109015:  <INFO> |authmgr|  LDAP Server AD-Intra: Starting Timer to rebind to server in 60000 ms

Looks you have ldap-s configured

Oct 27 17:30:20 :109000:  <DBUG> |authmgr|  LDAP Server AD-Intra: initializing LDAP structure for host:ldap-server-ip sslport:636

If your LDAP server is not setup for ldap-s, you should try regular ldap and cleartext, instead

I have tried checking the box for "Allow Clear-Text" and changing the "Preferred Connection Type" to clear-text, and it has not made a difference.  I see the same results with the initial bind and the timeouts.

Start simple. Do not set it up for management authentication. Just setup an ldap server and under the diagnostic tab, do a AAA test-server using pap. Post the logs from that exchange. Make sure you use cleartext.

Test your setting with LDAP browser here:  http://www.ldapadministrator.com/download.htm to make sure all of your parameters are correct.  LDAP is case sensitive.

I have tested the credentials and setup with LDAP Administrator, and everything appears to be working.  I was able to browse the directory with the credentials I'm using in the controller.  

 

Here is what I see before I run an authentication test:

 

(GBaruba7005) #show aaa authentication-server ldap AD-Intra status

LDAP Server Table
-----------------
LDAP Server Attribute        Value
---------------------        -----
Priority                     2
Name                         AD-Intra
Hostname                     server-ip
AuthPort                     389
AuthSSLPort                  636
Retries                      3
Timeout                      20
AdminDN                      CN=testuser,OU=Group,DC=Our,DC=Domain,DC=Here
AdminPasswd                  *****
BaseDN                       DC=Our,DC=Domain,DC=Here
KeyAttribute                 sAMAccountName
Filter                       (objectclass=*)
Allow Cleartext              yes
Status                       Enabled
InService                    Up
InitDone                     yes
AdminBound                   yes
Connection Type              clear text
Server Down                  no
Marked For Delete            no
In Use Callback Set          no
Outstanding Authentications  0
RebindTimerSet               no
RebindCount                  0
ReqViolationCount            0

 

 

Here is what I see when I run the test

(GBaruba7005) #aaa test-server pap AD-Intra testuser password

AAA server timeout

 

And here is what I see after I run the test (for 60 seconds)

 

(GBaruba7005) #show aaa authentication-server ldap AD-Intra status

LDAP Server Table
-----------------
LDAP Server Attribute        Value
---------------------        -----
Priority                     2
Name                         AD-Intra
Hostname                     server-ip
AuthPort                     389
AuthSSLPort                  636
Retries                      3
Timeout                      20
AdminDN                      CN=testuser,OU=Group,DC=Our,DC=Domain,DC=Here
AdminPasswd                  *****
BaseDN                       DC=Our,DC=Domain,DC=Here
KeyAttribute                 sAMAccountName
Filter                       (objectclass=*)
Allow Cleartext              yes
Status                       Enabled
InService                    Up
InitDone                     no
AdminBound                   no
Connection Type              unknown
Server Down                  yes
Marked For Delete            no
In Use Callback Set          no
Outstanding Authentications  0
RebindTimerSet               yes
RebindCount                  2
ReqViolationCount            0

 

It looks like everything is binding properly, and then I run the test, it times out, and it disconnects.

 

Edit:  Removed domain specific information

Got it working with some help.  Had to change the Base-DN to the distinguishedName of the user minus the CN.  It started working right away.  Still odd that it doesn't work with the base DN though...