Allow agent: Logon denied due to validation error, Error Code: 3003 (No Network Access resource assigned)

Question

We have one F5 SSL VPN user who is having his second round of trouble getting logged in.&nbsp;
We use LDAP to query AD for group membership, and allow access based on that.&nbsp;
the most relevant error I see in the Access Policy report is this:
Allow agent: Logon denied due to validation error, Error Code: 3003 (No Network Access resource assigned)&nbsp;
The first time this happed to the user, we tried a number of different things.  Working off a theory that the user's Active Directory account was somehow implicated, I copied his AD account and tried to log in with that.  That failed, so simply copying the account didn't fix the issue.  Next, I tried creating a completely new AD account with the right permissions and group memberships.  When I tested that, it was able to successfully connect via the SSL VPN.  The user who's having the problem tried the new account and was able to get in as well.&nbsp;
Now after about 4 weeks, he's reporting the same issue with the new account, and when I look, the line I pasted appears in each session report.&nbsp;
I've searched for info on this in askF5, but my searches aren't returning helpful hits.&nbsp;
I'd appreciate it if anyone solved similar situations can share the knowledge.&nbsp;
Of course, there's always the old standby, Open a case with F5....&nbsp;

david_stout · Answer

Couple of things to check along the lines of issues I've had to resolve in the past. Not sure if these are relevant but they may help get you started.&nbsp;
Password didn't expire or is set to be changed on next log in.The sAMAccountName is only returning LDAP attributes for a single domain account not multiple domain accountsNested groups are not usedTesting against LDAP using the LDP tool returns the correct result from AD
You can use the inbuilt LDAPSEARCH tool as well as LDP to query AD for groupmembership. This is the syntax i use&nbsp;
ldapsearch -xLLL -H 'ldap://X.X.X.X:3268' -b "dc=XXXXXX,dc=com" -s sub -D "" -w  "(sAMAccountName=xxxxxxx)"&nbsp;
Hope that helps you get to the bottom of it.&nbsp;

kunjan · Answer

Is the AD auth failing? You can do a cmdline testing using adtest to verify the said account.&nbsp;

kiml01_143042 · Answer

Hi, David&nbsp;
I discovered that the account in question had been removed from the AD group that would allow access, which explains why the second account I had created stopped working. As soon as we found the missing group membership and added it back, the account could log in successfully.&nbsp;
Thanks for the suggestions!  I was running down your list when we found the issue above.&nbsp;
Kim&nbsp;

Forum Discussion

Allow agent: Logon denied due to validation error, Error Code: 3003 (No Network Access resource assigned)

3 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

DevCentral Resources

POC: Validate JWT with iRule

APM variable assign examples

Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform

F5 Resources for COVID-19