Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9524
Views
5
Helpful
12
Replies

Anyconnect authentication using LDAPS

Go to solution
Benjamin Saito
Level 1
Level 1

‎09-06-2013 09:07 AM - edited ‎03-11-2019 07:35 PM

I am trying to get a cisco asa 5515 set up so the customer can authenticate using their ldap server. I have done this a few times for windows machines, but they are using a linux machine and they want to use LDAP with TLS instead of SSL. I think this is where I am running into the problem, When i try to connect with a username they created I am getting this error in the debug:

[16915] This LDAP server does not support V3 protocol.

I am not sure how to set this up to use TLS instead of SSL. Any help would be greatly appreciated.

Thanks!

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Benjamin Saito

‎09-30-2013 02:51 AM

aaa authentication http console LDAPS-server-grp LOCAL

So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.

The local authentication should trigger if the request is not catered by the first authenticated method.

How did you test the failover mechanism?

Do you have the username and password defined in the local database?

Can you reproduce the problem and get the following information.

debug aaa common 255

show run | in user

Let me know if you have any query/concern?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Benjamin Saito

‎10-02-2013 10:04 AM

so let me try to explain you again:

aaa authentication http console LDAPS-server-grp LOCAL

LDAPS-server-grp - Primary authentication method

LOCAL - Fallback method

If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.

If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.

You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-06-2013 11:52 AM

Hello Benjamin,

There is no such a configuration as long as you configure LDAP over port 636 u should be set.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Julio Carvajal

‎09-06-2013 11:59 AM

Thanks for the reply. I set it to use port 636 but it is still failing but i am not getting this error message anymore:

This LDAP server does not support V3 protocol. Here are the errors i am getting in the debug logs:

[16953] Session Start

[16953] New request Session, context 0x00007fff322d79b8, reqType = Authentication

[16953] Fiber started

[16953] Creating LDAP context with uri=ldap://x.x.x.x:636

[16953] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful

[16953] Unable to read rootDSE. Can't contact LDAP server.

[16953] Fiber exit Tx=145 bytes Rx=0 bytes, status=-2

[16953] Session End

It looks like it connects to the server successfully and then says it can't contact the server. Can someone maybe point me in the right direction on where i'm going wrong here? Not sure if these logs will give enough info.

They also want to use a SA certificate for this, where do I install the cert for this?

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Benjamin Saito

‎09-06-2013 11:37 PM

Hello,

This link will help you a lot:

http://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/

It's about ASA and Open LDAP integration via SSL BUT the troubleshooting and configuration side on the ASA is the same.

Take a look at it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Julio Carvajal

‎09-10-2013 01:46 PM

Thanks for that document Julio, it is now working but now we have another problem. I can't access the firewall via ssh/asdm by using the LOCAL authentication anymore. The authentication works fine when going to the LDAP server, but when I try to authenticate with a user local to the firewall it fails. Here are the commands that are causing the issue:

aaa authentication enable console LDAPS-server-grp LOCAL

aaa authentication http console LDAPS-server-grp LOCAL

aaa authentication ssh console LDAPS-server-grp LOCAL

Shouldn't I be able to authenticate locally and through the LDAP server using this command? It's supposed to use LOCAL when the server group fails but it doesn't. Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Benjamin Saito

‎09-10-2013 02:12 PM

Hello Benajim,

You will be able to authenticate via the LOCAL database with that config ONLY if the Server goes down.

If the LDAP server is up and running then it will always go there,

Remember to rate all of the helpful posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Julio Carvajal

‎09-27-2013 07:22 AM

Thanks for clearing that up for me Julio. We got it working for the ssl vpn. Now the customer wants logins for the asdm to be authenticated to their ldap server which is easy to set in the ASDM, is there a way to have it authenticate to the ldap server and locally?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Benjamin Saito

‎09-30-2013 02:51 AM

aaa authentication http console LDAPS-server-grp LOCAL

So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.

The local authentication should trigger if the request is not catered by the first authenticated method.

How did you test the failover mechanism?

Do you have the username and password defined in the local database?

Can you reproduce the problem and get the following information.

debug aaa common 255

show run | in user

Let me know if you have any query/concern?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎10-02-2013 04:33 AM

Hi Benjamin,

Were you able to worked on your last query? Is that resolved?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Jatin Katyal

‎10-02-2013 09:36 AM

Hi Jatin,

Sorry i've been busy and haven't had time to look at this. I have the user created and gave it full access to asdm/ssh and I am coming from a trusted IP. The user was working before the LDAPS server was put into place. Now with

aaa authentication http console LDAPS-server-grp LOCAL command in place I can only access the ASDM from the customers users they created on their ldap server, it never tried to authenticate it to the local database on the firewall. Here is the output from the dubugging when i try to connect with a user that is locally created on the firewall:

Back End response:

------------------

Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LDAPS-server-grp, author svr = , user pol = , tunn pol =

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

None

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = REJECT

AAA API: In aaa_close

AAA task: aaa_process_msg(0x00007fff24306ac0) received message type 3

In aaai_close_session (1133)

I hope this helps.

Thanks!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Benjamin Saito

‎10-02-2013 10:04 AM

so let me try to explain you again:

aaa authentication http console LDAPS-server-grp LOCAL

LDAPS-server-grp - Primary authentication method

LOCAL - Fallback method

If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.

If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.

You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Jatin Katyal

‎10-02-2013 10:20 AM

****Now the customer wants logins for the asdm to be authenticated to their  ldap server which is easy to set in the ASDM, is there a way to have it  authenticate to the ldap server and locally? ****

So it appears the answer is no. Thanks for  your help!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Benjamin Saito

‎10-02-2013 10:28 AM

Unfortunately, NO!

The local will only work as a back-door method in absence of LDAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card