topic FMC External Authentication using LDAPs in Network Security

FMC External Authentication using LDAPs

mumbles202 — Thu, 16 Apr 2020 15:30:40 GMT

I've setup the FMC (6.5.0.4) to use LDAP and that is working, but when i try to get LDAPS setup for authentication to the FMC itself it fails. On the section when you choose the certificate I'm able to import the root CA, but when I go to test I get a warning that no certificate was selected. Also, I should be using the hostnames of the domain controllers if I'm doing ssl or tls correct? And will the root CA be sufficient or do I need to import a certifcate from both the primary and backup domain controllers so either can be used?

Re: FMC External Authentication using LDAPs

Rob Ingram — Thu, 16 Apr 2020 16:11:13 GMT

I am also using 6.5.0.4 and it works for me

Provide a screenshot of the error you receive.

If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but servername.domain.com in the certificate, the connection fails.

Ensure you specifiy TLS not SSL

Uploading the root certificate should be sufficient.

HTH

Re: FMC External Authentication using LDAPs

mumbles202 — Thu, 16 Apr 2020 17:10:44 GMT

Thanks. Yes, LDAP using 389 works. It's when i change it to SSL and upload the root CA it fails to save. I can try changing the hostname to the FQDN and using TLS instead. The root CA has a different name since the CA isn't on the domain controller. Would that cause any issues?

Re: FMC External Authentication using LDAPs

Rob Ingram — Thu, 16 Apr 2020 17:21:30 GMT

The hostname/FQDN you use has to match the common name as defined in the certificate that is installed on the domain controller(s).

Re: FMC External Authentication using LDAPs

mumbles202 — Thu, 16 Apr 2020 20:27:49 GMT

So TLS works w/o any issues. It's just the SSL over 636 that I can't get going.

Re: FMC External Authentication using LDAPs

Rob Ingram — Thu, 16 Apr 2020 21:48:33 GMT

Why must you use SSL and not TLS? SSL is depreciated.

When I test using SSL on port 636, I successfully connect. A packet capture confirms that the connection was actually established using TLS, even though SSL was specified.

If you use TLS on port 389 then you are using StartTLS. Run a packet capture and you will see the initial connection on LDAP, followed by a TLS handshake and subsequent data transfer is encrypted. Or you can run LDAPS on port 636, both StartTLS and LDAPS are secure and encrypt the communication.

Re: FMC External Authentication using LDAPs

mumbles202 — Thu, 16 Apr 2020 22:28:25 GMT

Thanks. I set it up using TLS and 389 and confirmed working so will leave it as is. I appreciate the assistance.

Re: FMC External Authentication using LDAPs

mumbles202 — Mon, 14 Sep 2020 21:22:51 GMT

So this was working fine but stopped working as of this morning. It was confirmed that it worked Friday but when trying to login this morning LDAP users are failing to login. No changes were made to either the DC or the FMC over the weekend.

Re: FMC External Authentication using LDAPs

chong00011 — Mon, 17 May 2021 13:16:31 GMT

I dont know if you solve this or not. but i have the same issue with external auth using LDAPS with certificate. the issue is the cert. it need to be PEM file. your server cert and sub ca or root ca. export the cert on the server as base. open them and copy the content in there to a file and save it as PEM.

Re: FMC External Authentication using LDAPs

Knassi — Tue, 13 Jun 2023 17:54:52 GMT

I wanted to follow up on this. Someone mentioned that the certificate must match the IP of name of the DC server. How does on verify that. I am having issues connecting and i think the certificate i am using is wrong. How do i verify that?

Re: FMC External Authentication using LDAPs

chong00011 — Thu, 15 Jun 2023 22:16:52 GMT

The certificate must match the FQDN of the domain controller not ip address.