topic Hi in Network Access Control

asa -aaa

elite2010 — Mon, 11 Mar 2019 07:44:21 GMT

Hi,
I have an external authentication server , the configuration below

aaa-server test protocol ldap
aaa-server test (Outside) host testserver.com
timeout 60
server-port 636
ldap-base-dn dc=xxxxxxxxxxxxxxx,dc=testserver,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=xxxxxxxxxxxxx,dc=testserver,dc=com
ldap-over-ssl enable

I have internal dns server running , for resolving dns domain-lookup enabled on Inside interface
dns domain-lookup Inside

for some reason the authentication not working ,

I have captured the traffic to the reomote ldaps sever (output sanitized )

interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.252

TestServer.com : 2.2.2.2
!

Thanks

It appears your pcap only got

Marvin Rhoads — Wed, 24 May 2017 10:33:00 GMT

It appears your pcap only got part of the session. From what I can see it seems that SSL is never establishing properly.

Are you sure the LDAPS server is able to accept SSL sessions from clients?

Is any other client connecting to it via LDAPS?

Perhaps you can do a capture at the server end and open up the SSL handshake details in the decode.

Hi

elite2010 — Wed, 24 May 2017 21:27:44 GMT

"From what I can see it seems that SSL is never establishing properly.".

AAA server is using entrust certificate

This might be the ROOT CA (entrust ) not installed (TrustPoint ) in ASA

Thanks

That cold very well be the

Marvin Rhoads — Thu, 25 May 2017 08:03:04 GMT

That cold very well be the case.

The detailed protocol decode of SSL handshake might show you conclusively what is happening. (or a debug on the ASA although they can be more challenging to interpret as they are so verbose and all plain text)