Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect authentication using LDAPS

I am trying to get a cisco asa 5515 set up so the customer can authenticate using their ldap server. I have done this a few times for windows machines, but they are using a linux machine and they want to use LDAP with TLS instead of SSL. I think this is where I am running into the problem, When i try to connect with a username they created I am getting this error in the debug:

[16915] This LDAP server does not support V3 protocol.

I am not sure how to set this up to use TLS instead of SSL. Any help would be greatly appreciated.

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Anyconnect authentication using LDAPS

aaa authentication http console LDAPS-server-grp LOCAL

So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.

The local authentication should trigger if the request is not catered by the first authenticated method.

How did you test the failover mechanism?

Do you have the username and password defined in the local database?

Can you reproduce the problem and get the following information.

debug aaa common 255

show run | in user

Let me know if you have any query/concern?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: Anyconnect authentication using LDAPS

so let me try to explain you again:

aaa authentication http console LDAPS-server-grp LOCAL

LDAPS-server-grp - Primary authentication method

LOCAL - Fallback method

If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.

If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.

You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
12 REPLIES

Anyconnect authentication using LDAPS

Hello Benjamin,

There is no such a configuration as long as you configure LDAP over port 636 u should be set.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Anyconnect authentication using LDAPS

Thanks for the reply. I set it to use port 636 but it is still failing but i am not getting this error message anymore:

This LDAP server does not support V3 protocol. Here are the errors i am getting in the debug logs:

[16953] Session Start

[16953] New request Session, context 0x00007fff322d79b8, reqType = Authentication

[16953] Fiber started

[16953] Creating LDAP context with uri=ldap://x.x.x.x:636

[16953] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful

[16953] Unable to read rootDSE. Can't contact LDAP server.

[16953] Fiber exit Tx=145 bytes Rx=0 bytes, status=-2

[16953] Session End

It looks like it connects to the server successfully and then says it can't contact the server. Can someone maybe point me in the right direction on where i'm going wrong here? Not sure if these logs will give enough info.

They also want to use a SA certificate for this, where do I install the cert for this?

Thanks

Re: Anyconnect authentication using LDAPS

Hello,

This link will help you a lot:

http://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/

It's about ASA and Open LDAP integration via SSL BUT the troubleshooting and configuration side on the ASA is the same.

Take a look at it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Anyconnect authentication using LDAPS

Thanks for that document Julio, it is now working but now we have another problem. I can't access the firewall via ssh/asdm by using the LOCAL authentication anymore. The authentication works fine when going to the LDAP server, but when I try to authenticate with a user local to the firewall it fails. Here are the commands that are causing the issue:

aaa authentication enable console LDAPS-server-grp LOCAL

aaa authentication http console LDAPS-server-grp LOCAL

aaa authentication ssh console LDAPS-server-grp LOCAL

Shouldn't I be able to authenticate locally and through the LDAP server using this command? It's supposed to use LOCAL when the server group fails but it doesn't. Thanks!

Re: Anyconnect authentication using LDAPS

Hello Benajim,

You will be able to authenticate via the LOCAL database with that config ONLY if the Server goes down.

If the LDAP server is up and running then it will always go there,

Remember to rate all of the helpful posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Anyconnect authentication using LDAPS

Thanks for clearing that up for me Julio. We got it working for the ssl vpn. Now the customer wants logins for the asdm to be authenticated to their ldap server which is easy to set in the ASDM, is there a way to have it authenticate to the ldap server and locally?

Cisco Employee

Re: Anyconnect authentication using LDAPS

aaa authentication http console LDAPS-server-grp LOCAL

So with the above mentioned command, the users connecting to ASDM should be authenticated against LDAP server FIRST. If in case it's down or not reachable, it then failover to contact LOCAL database.

The local authentication should trigger if the request is not catered by the first authenticated method.

How did you test the failover mechanism?

Do you have the username and password defined in the local database?

Can you reproduce the problem and get the following information.

debug aaa common 255

show run | in user

Let me know if you have any query/concern?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: Anyconnect authentication using LDAPS

Hi Benjamin,

Were you able to worked on your last query? Is that resolved?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Anyconnect authentication using LDAPS

Hi Jatin,

Sorry i've been busy and haven't had time to look at this. I have the user created and gave it full access to asdm/ssh and I am coming from a trusted IP. The user was working before the LDAPS server was put into place. Now with

aaa authentication http console LDAPS-server-grp LOCAL command in place I can only access the ASDM from the customers users they created on their ldap server, it never tried to authenticate it to the local database on the firewall. Here is the output from the dubugging when i try to connect with a user that is locally created on the firewall:

Back End response:

------------------

Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LDAPS-server-grp, author svr = , user pol = , tunn pol =

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

None

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = REJECT

AAA API: In aaa_close

AAA task: aaa_process_msg(0x00007fff24306ac0) received message type 3

In aaai_close_session (1133)

I hope this helps.

Thanks!

Cisco Employee

Re: Anyconnect authentication using LDAPS

so let me try to explain you again:

aaa authentication http console LDAPS-server-grp LOCAL

LDAPS-server-grp - Primary authentication method

LOCAL - Fallback method

If the primary auth method will be up and running i.e your LDAP server, the authentication request will always hit it first and will fail if it doesn't find the user account in the database with an error "User Not Found" so you can only test the authentication against the local database when your LDAP server is down and there will ne no response to user request.

If you want to test the fallback method then you need to make sure that LDAP server is DOWN / UNREACHABLE.

You can put a deny access-list for port 389 to block the communication (because it's not easy to make changes on LDAP server) and test a fallback method.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Anyconnect authentication using LDAPS

****Now the customer wants logins for the asdm to be authenticated to their  ldap server which is easy to set in the ASDM, is there a way to have it  authenticate to the ldap server and locally? ****

So it appears the answer is no. Thanks for  your help!

Cisco Employee

Re: Anyconnect authentication using LDAPS

Unfortunately, NO!

The local will only work as a back-door method in absence of LDAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
2250
Views
5
Helpful
12
Replies
CreatePlease to create content