×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

LDAP - passwords transmitted in the clear

Unanswered Question
Sep 9th, 2009
User Badges:

Morning all.


I have recently set up LDAP as my Unknown User Policy database. It works well thanks to the 4.2 Build 24 Patch 12 update (we were running no patches before). However, when I did a packet sniff, I noticed that my password was being sent in the clear. I was under the impression that with Kerberos on LDAP and the ACS policies, we would be secured, but I am guessing I missed something.


Can anyone tell me what I need to do on ACS or the LDAP server to get the passwords transmitted in a secure manner?


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Wed, 09/09/2009 - 09:00
User Badges:
  • Cisco Employee,

Hi,


Though kerberos is secure but here we can't link it with ACS because it doesn't support kerberos protocol.


LDAP communicates in plain text between the ACS server and the LDAP directory. You can configure this connection to use Secure Socket Layer (SSL) if a certificate has been obtained.


HTH


Regards,

JK

Jagdeep Gambhir Wed, 09/09/2009 - 09:49
User Badges:
  • Red, 2250 points or more

Dwane,

That is the way it is designed. Please check the LDAP RFC, here is the snip from RFC,


When used with a connection-oriented transport, this version of the protocol provides facilities for the LDAP v2 authentication mechanism, simple authentication using a cleartext password, as well as any SASL mechanism [12]. SASL allows for integrity and privacy services to be negotiated.


http://www.ietf.org/rfc/rfc2251.txt


You can use Secure LDAP incase you are looking for security.


Regards,

~JG



dpatkins Wed, 09/09/2009 - 10:27
User Badges:

So I can use a certificate or Secure LDAP? I am guessing if I use a certificate, I will need to install it on the LDAP server as well as the ACS appliance? I will read up a little more on the Secure LDAP. I hope that will be the answer.


THank you,


Dwane

Jagdeep Gambhir Wed, 09/09/2009 - 10:44
User Badges:
  • Red, 2250 points or more

Dwane,

Cert7.db needs to be created for a LDAP database using Netscape Navigator, for that you need to contact your LDAP Administrator.


Here's a documentation link, which says how to get SSL connection between ACS and LDAP, and we need to get cert7.db by installing Netscape:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09

186a0080092566.shtml


NOTE: Preferred way to generate cert7.db is to use Netscape browser as, it is only tested way.


Please note that the certificate DB path is required. To install a Cert7.db

file with the correct certificates the following is required.


We need to use Netscape 4.x (up to 4.8) for creating cert7.db. More recent

versions may be not compatible.


1. Setup the LDAP with a certificate.

2. Install Netscape 4.x (this creates the cert7.db file, which is just a

database of certs)

3. Browse to https://servername:Ldap-port with the Netscape browser.

4. Install the certificate selecting the option "accept this certificate

forever.

5. Copy the cert7.db file to another directory (like the ACS folder).


The default location of the cert7.db file is C:\Program

Files\Netscape\Users\default


6. Now just enter the path to the cert7.db file in the "Certificate DB Path" field in t he configuration for your LDAP DB in ACS.


TIP: cert7.db from OpenSSL etc will not work


Regards,

~JG

dpatkins Tue, 09/29/2009 - 05:22
User Badges:

Will this cert need to be loaded on both the ACS and AD servers?

Premdeep Banga Tue, 09/29/2009 - 06:55
User Badges:
  • Gold, 750 points or more

Hi.


Question: What LDAP server do we have here?


ACS only supports server-side authentication for SSL communication with LDAP server.


On ACS server you only need Root CA certificate. The CA who issued certificate to LDAP server for SSL communication. This is easy to determine, you only need to look up "Issued By" filed on the certificate.


Other then that. Password is secure between client and the ACS server (Radius/Tacacs+). With SSL between ACS and LDAP its secure at the backend too


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp399155

"Security-ACS uses SSL to encrypt communication between ACS and the LDAP server. If you do not enable SSL, user credentials are passed to the LDAP server in clear text. If you select this option, then you must select Trusted Root CA or Certificate Database Path. ACS supports only server-side authentication for SSL communication with the LDAP server. Solution Engine only: You must be sure that the Port box contains the port number used for SSL on the LDAP server."


HTH

Prem

dpatkins Tue, 09/29/2009 - 10:31
User Badges:

Prem, JG and others,


Thank you for your inputs. Now I am confused. As I set up the cert on the ACS server, I use our root CA server. How do I tell if it is good or not? I also have configured the ACS LDAP External Database configuration to use TCP port 3269 and have checked to use the CA server. Do I need to set anything else up? I am pretty sure I do since this config does not work. However, when I set it back to not be secure and use port 3268, it works like a champ, but passwords are sent int eh clear.


Thanks


Dwane

Actions

This Discussion