VIP (Validation ID Protection)

 View Only

  • 1.  Remote access via Cisco ASA (AD and VIP)

    Posted Feb 24, 2015 11:58 PM

    Been trying to test the integration between ASA and VIP but failed. (remote users will login via Cisco AnyConnect using their AD username, password and Symantec VIP code)

    Already configured the following :

    Cisco ASA
    - AAA server, configured Enterprise Gateway IP address

    Enterprise Gateway
    - UserStore, added AD successfully 
    - Validation, configured with LDAP password and security code
    - viP Certificates, imported the cert generated from VIP manager

    Tested the config, but failed and found the following logs on the Enterprise Manager:

    1) server.out 
    Wed Feb 25 14:56:47 EST 2015 server USA process ID: 20024
    Wed Feb 25 14:57:00 EST 2015 STOPPED USA
    Wed Feb 25 15:18:52 EST 2015 USA's parent process ID: 21188
    Wed Feb 25 15:18:52 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
    ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
    Wed Feb 25 15:18:52 EST 2015 server USA process ID: 21203
    Wed Feb 25 15:37:15 EST 2015 STOPPED USA
    Wed Feb 25 15:37:20 EST 2015 USA's parent process ID: 21626
    Wed Feb 25 15:37:20 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
    ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
    Wed Feb 25 15:37:20 EST 2015 server USA process ID: 21655
    Wed Feb 25 15:39:04 EST 2015 STOPPED USA
    Wed Feb 25 15:39:09 EST 2015 USA's parent process ID: 21925
    Wed Feb 25 15:39:09 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
    ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
    Wed Feb 25 15:39:09 EST 2015 server USA process ID: 21955
     
    2) server.log
    DEBUG    "2015-02-25 15:40:00.501 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=0, autobc=0, trigger=0, isVisited=0" Thread-3965647728 VSValidationServer.cpp
    DEBUG    "2015-02-25 15:40:00.501 GMT+1100" 0.0.0.0 ValidationServer 0 0 "text=VSValidationServer._processReceiveThread() -- Sending response" Thread-3965647728 VSValidationServer.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=VSValidationServer._workerThread() -- Received request" Thread-4151301856 VSValidationServer.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Reading extra request attributes ('state')" Thread-3965647728 VSValidationEngine.c
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Executing 'authenticate' operation" Thread-3965647728 VSValidationEngine.c
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- _valServerMode 0" Thread-3965647728 VSValidationEngine.c
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Processing-2 request for error->code=0 bizContinuityOn=0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Processing request for [user:testing] [idlen=4]" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Invoking pre-filter module" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Invoking 1st-factor module" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- nUluoMode = 0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- Invoking self._validateLDAPPassword()" Thread-3965647728 VSAuthOTPFirstFactorImpl.c
    INFO     "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=Verifying against User Store No:- 1 whose storeName is USA-AD " Thread-3965647728 tokenbinding.cpp
    INFO     "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=encoding is  UTF-8 " Thread-3965647728 tokenbinding.cpp
    INFO     "2015-02-25 15:40:00.519 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=encoding is  UTF-8 " Thread-3965647728 tokenbinding.cpp
    DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- Returning opResult [code:3 message:reason=3]" Thread-3965647728 VSAuthOTPFirstFactorImpl.c
    DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Returning opResult [code:3 message:reason=3]" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=opResult.result = 3, opResult.message = reason=3 = opResult.message = ec5d1fd8 err->code = 49b6" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=err->codeAbc = 0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
    ERROR    "2015-02-25 15:40:00.558 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Error 18870 occurred at VSAuthOTPFirstFactorImpl.c:634. Description: VSAuthOTPFirstFactorLDAPImpl._validatePassword() -- Incorrect LDAP static password. Enter the correct LDAP static password. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret., user=testing, op=authenticate, bizCont=off" Thread-3965647728 VSValidationEngine.c
    DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Writing reply attributes - 0" Thread-3965647728 VSValidationEngine.c
    AUDIT    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Access DENIED Error 18870 occurred at VSAuthOTPFirstFactorImpl.c:634. Description: VSAuthOTPFirstFactorLDAPImpl._validatePassword() -- Incorrect LDAP static password. Enter the correct LDAP static password. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret., user=testing, op=authenticate, bizCont=off ,reason=3" Thread-3965647728 VSValidationEngine.c
    AUDIT    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Access 0" Thread-3965647728 VSValidationEngine.c
    DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=0, autobc=0, trigger=0, isVisited=0" Thread-3965647728 VSValidationServer.cpp
    DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 0.0.0.0 ValidationServer 0 0 "text=VSValidationServer._processReceiveThread() -- Sending response" Thread-3965647728 VSValidationServer.cpp

    Confirm the radius secret is correct on both end as well as the AD password. From the above logs, i notice the ValidationEngine  IP address is 0.0.0.0, not sure if it's relevant.

    Appreciate if anyone can assist.

    TIA



  • 2.  RE: Remote access via Cisco ASA (AD and VIP)

    Posted Mar 17, 2015 11:25 AM

    I have the exact same issue. Logs look about the same too. Says my static LDAP password is wrong. I know its correct. 

     

    After i disabled the windows firewall on the server hosting the VIP Gateway, authentication went through just fine.



  • 3.  RE: Remote access via Cisco ASA (AD and VIP)

    Posted Apr 20, 2015 11:52 PM

    Can you capture the network traffic going to the LDAP server and make sure it's communicating?



  • 4.  RE: Remote access via Cisco ASA (AD and VIP)

    Posted May 01, 2015 10:30 AM

     

    Hello,

    Have you tried this?

    User ID:AD username

    Password: AD password+security code

     

    Example of password+security code password671032

     



  • 5.  RE: Remote access via Cisco ASA (AD and VIP)

    Posted Jul 05, 2015 11:38 PM

    Did you get this working?

    It should be fairly straight forward.

     

    BTW the LD_PRELOAD is not a real error. It's just saying that this library can only be called at run time.



  • 6.  RE: Remote access via Cisco ASA (AD and VIP)

    Posted Aug 07, 2015 06:25 AM

    i'll try it and it's worked i am working a very big company and the configuration issue are normal now. We provides some tips and dumps on cisco.

    Every student always wishes to pass his exam in first attempt and for this students struggle hard and use different dumps.
    The main purpose of this website is to provide you excellent material of latest dumps in PDF files and test engines. Helping students is our main concern and they are always our first priority and that is why we are providing you here best and latest material of braindumps.
    We are giving test engine for all IT certifications and Medicine tests.
    So, now don’t waste your time.

    Cisco 300-115 Exam Questions Pass the exam in first attempt by the help of our dumps