https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4066733#M1069212 <P>So i figured out the first issue and I'm now able to successfully test using ldap after changing the base dn to , but if i try to use ldaps it fails.&nbsp; I have the cert from the server exported as a base 64 file and when i try to browse and upload it is takes the setting but if I save it the settings save but the cert disappears when you go back in.&nbsp; Is there a requirement that I'm missing in order to get LDAPS for the external authentication?</P> Wed, 15 Apr 2020 20:39:27 GMT mumbles202 2020-04-15T20:39:27Z https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4066632#M1069211 <P>I'm trying to setup external authentication for a 6.5 FMC but running into some issues.&nbsp; Currently the FMC has LDAP authentication setup for AnyConnect connectivity, and if i try to Fetch DNs or Fetch Attrib those both return values, but when I try to test a user that I know is in the group by domain\user1 or just entering user1 it fails.&nbsp; Active Directory is 2016.&nbsp; I'm currently using the following settings:</P><P>&nbsp;</P><P>Base Dn - dc=domain,dc=local</P><P>UI Access Attribute - sAMAccountName<BR />Shell Access Attribute - sAMAccountName</P><P><BR />Administrator - CN=ftdaccess,OU=Security Groups,DC=domain,DC=local<BR />Group Member Attribute - memberOf (I also tried just member w/ the same results)<BR />Shell Access Filter - Same as Base Filter is checked</P><P>&nbsp;</P><P>When I expand the test results i do see the following:</P><P>The server query size limit was exceeded. Use the Base Filter to reduce the number of records retrieved.<BR />See Test Output for details.<BR />Error<BR />Test Failed: The search for your test user using your current parameters failed; please verify your authentication settings and test user credentials.<BR />External Authentication Object<BR />Authentication Method<BR />CAC Use for CAC authentication and authorization<BR />Name<BR />LDAP<BR />Description<BR />LDAP Authentication FMC<BR />Server Type<BR />Primary Server<BR />Host Name/IP Address<BR />172.16.20.25<BR />ex. IP or hostname<BR />Port<BR />389</P><P>&nbsp;</P><P>The test user in question is a member of 2 groups (Domain Users and&nbsp;ftdaccess).&nbsp; Should I set the base DN to a path that mirrors the OU that members of the group should be limited to?</P> Wed, 15 Apr 2020 18:12:35 GMT https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4066632#M1069211 mumbles202 2020-04-15T18:12:35Z https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4066733#M1069212 <P>So i figured out the first issue and I'm now able to successfully test using ldap after changing the base dn to , but if i try to use ldaps it fails.&nbsp; I have the cert from the server exported as a base 64 file and when i try to browse and upload it is takes the setting but if I save it the settings save but the cert disappears when you go back in.&nbsp; Is there a requirement that I'm missing in order to get LDAPS for the external authentication?</P> Wed, 15 Apr 2020 20:39:27 GMT https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4066733#M1069212 mumbles202 2020-04-15T20:39:27Z https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4904601#M1103418 <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.pdf" target="_blank">Configure Firepower Management Center and FTD with LDAP for External Authentication (cisco.com)</A></P> Mon, 14 Aug 2023 14:14:00 GMT https://community.cisco.com/t5/network-security/fmc-external-authentication-failing/m-p/4904601#M1103418 williams_t82 2023-08-14T14:14:00Z