For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kiml01_143042's avatar
kiml01_143042
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014

Allow agent: Logon denied due to validation error, Error Code: 3003 (No Network Access resource assigned)

We have one F5 SSL VPN user who is having his second round of trouble getting logged in.   We use LDAP to query AD for group membership, and allow access based on that.   the most relevant erro...
BIG-IP Access Policy Manager (APM)
security
David_Stout's avatar
David_Stout
Icon for Nimbostratus rankNimbostratus
Jun 04, 2014

Couple of things to check along the lines of issues I've had to resolve in the past. Not sure if these are relevant but they may help get you started.

 

  1. Password didn't expire or is set to be changed on next log in.
  2. The sAMAccountName is only returning LDAP attributes for a single domain account not multiple domain accounts
  3. Nested groups are not used
  4. Testing against LDAP using the LDP tool returns the correct result from AD

You can use the inbuilt LDAPSEARCH tool as well as LDP to query AD for groupmembership. This is the syntax i use

 

ldapsearch -xLLL -H 'ldap://X.X.X.X:3268' -b "dc=XXXXXX,dc=com" -s sub -D "" -w "(sAMAccountName=xxxxxxx)"

 

Hope that helps you get to the bottom of it.