09-06-2013 09:07 AM - edited 03-11-2019 07:35 PM
I am trying to get a cisco asa 5515 set up so the customer can authenticate using their ldap server. I have done this a few times for windows machines, but they are using a linux machine and they want to use LDAP with TLS instead of SSL. I think this is where I am running into the problem, When i try to connect with a username they created I am getting this error in the debug:
[16915] This LDAP server does not support V3 protocol.
I am not sure how to set this up to use TLS instead of SSL. Any help would be greatly appreciated.
Thanks!
Solved! Go to Solution.
09-30-2013 02:51 AM
aaa authentication http console LDAPS-server-grp LOCAL
So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.
The local authentication should trigger if the request is not catered by the first authenticated method.
How did you test the failover mechanism?
Do you have the username and password defined in the local database?
Can you reproduce the problem and get the following information.
debug aaa common 255
show run | in user
Let me know if you have any query/concern?
~BR
Jatin Katyal
**Do rate helpful posts**
10-02-2013 10:04 AM
so let me try to explain you again:
aaa authentication http console LDAPS-server-grp LOCAL
LDAPS-server-grp - Primary authentication method
LOCAL - Fallback method
If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.
If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.
You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.
~BR
Jatin Katyal
**Do rate helpful posts**
09-06-2013 11:52 AM
Hello Benjamin,
There is no such a configuration as long as you configure LDAP over port 636 u should be set.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-06-2013 11:59 AM
Thanks for the reply. I set it to use port 636 but it is still failing but i am not getting this error message anymore:
This LDAP server does not support V3 protocol. Here are the errors i am getting in the debug logs:
[16953] Session Start
[16953] New request Session, context 0x00007fff322d79b8, reqType = Authentication
[16953] Fiber started
[16953] Creating LDAP context with uri=ldap://x.x.x.x:636
[16953] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful
[16953] Unable to read rootDSE. Can't contact LDAP server.
[16953] Fiber exit Tx=145 bytes Rx=0 bytes, status=-2
[16953] Session End
It looks like it connects to the server successfully and then says it can't contact the server. Can someone maybe point me in the right direction on where i'm going wrong here? Not sure if these logs will give enough info.
They also want to use a SA certificate for this, where do I install the cert for this?
Thanks
09-06-2013 11:37 PM
Hello,
This link will help you a lot:
http://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/
It's about ASA and Open LDAP integration via SSL BUT the troubleshooting and configuration side on the ASA is the same.
Take a look at it
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 01:46 PM
Thanks for that document Julio, it is now working but now we have another problem. I can't access the firewall via ssh/asdm by using the LOCAL authentication anymore. The authentication works fine when going to the LDAP server, but when I try to authenticate with a user local to the firewall it fails. Here are the commands that are causing the issue:
aaa authentication enable console LDAPS-server-grp LOCAL
aaa authentication http console LDAPS-server-grp LOCAL
aaa authentication ssh console LDAPS-server-grp LOCAL
Shouldn't I be able to authenticate locally and through the LDAP server using this command? It's supposed to use LOCAL when the server group fails but it doesn't. Thanks!
09-10-2013 02:12 PM
Hello Benajim,
You will be able to authenticate via the LOCAL database with that config ONLY if the Server goes down.
If the LDAP server is up and running then it will always go there,
Remember to rate all of the helpful posts
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-27-2013 07:22 AM
Thanks for clearing that up for me Julio. We got it working for the ssl vpn. Now the customer wants logins for the asdm to be authenticated to their ldap server which is easy to set in the ASDM, is there a way to have it authenticate to the ldap server and locally?
09-30-2013 02:51 AM
aaa authentication http console LDAPS-server-grp LOCAL
So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.
The local authentication should trigger if the request is not catered by the first authenticated method.
How did you test the failover mechanism?
Do you have the username and password defined in the local database?
Can you reproduce the problem and get the following information.
debug aaa common 255
show run | in user
Let me know if you have any query/concern?
~BR
Jatin Katyal
**Do rate helpful posts**
10-02-2013 04:33 AM
Hi Benjamin,
Were you able to worked on your last query? Is that resolved?
~BR
Jatin Katyal
**Do rate helpful posts**
10-02-2013 09:36 AM
Hi Jatin,
Sorry i've been busy and haven't had time to look at this. I have the user created and gave it full access to asdm/ssh and I am coming from a trusted IP. The user was working before the LDAPS server was put into place. Now with
aaa authentication http console LDAPS-server-grp LOCAL command in place I can only access the ASDM from the customers users they created on their ldap server, it never tried to authenticate it to the local database on the firewall. Here is the output from the dubugging when i try to connect with a user that is locally created on the firewall:
Back End response:
------------------
Authentication Status: -1 (REJECT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = LDAPS-server-grp, author svr =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007fff24306ac0) received message type 3
In aaai_close_session (1133)
I hope this helps.
Thanks!
10-02-2013 10:04 AM
so let me try to explain you again:
aaa authentication http console LDAPS-server-grp LOCAL
LDAPS-server-grp - Primary authentication method
LOCAL - Fallback method
If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.
If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.
You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.
~BR
Jatin Katyal
**Do rate helpful posts**
10-02-2013 10:20 AM
****Now the customer wants logins for the asdm to be authenticated to their ldap server which is easy to set in the ASDM, is there a way to have it authenticate to the ldap server and locally? ****
So it appears the answer is no. Thanks for your help!
10-02-2013 10:28 AM
Unfortunately, NO!
The local will only work as a back-door method in absence of LDAP.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide