topic Re: ASA integration with Active Directory using LDAPS in Network Security

ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 10:37:12 GMT

Setting up a new ASA running 9.18 and trying to tie it into AD. This is replacing an existing ASA that was previously connected to AD using LDAPS. On rhe new ASA I can do test authentication without any issue if I use port 389, but once I switch to 636 it fails. On the old firewalls I can do the authentication using either 389 or 636.

Not sure if I missed a step and can't seem to find documentation on using 636 anymore. I tried importing the root CA certificate ( which happens to be on a DC) but that didn't fixed it.

Any insight would be appreciated.

Re: ASA integration with Active Directory using LDAPS

balaji.bandi — Thu, 02 May 2024 10:45:53 GMT

if the configuration goodand you imported the certs also - then run the debiug

debug ldap and see what is wrong ?

as you mentioned other ASA working, what Code is that ?

check below thead also can help you :

https://community.cisco.com/t5/network-security/asa-5505-ca-certificate-for-ldaps/td-p/3376664

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 11:06:57 GMT

Thanks for the quick response. When I do a debug ldap 255 I get this:

ciscoasav01(config)# test aaa-server authentication LDAP host 10.100.100.$
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)

[-2147483639] Session Start
[-2147483639] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483639] Unable to read rootDSE. Can't contact LDAP server.
[-2147483639] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483639] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Re: ASA integration with Active Directory using LDAPS

balaji.bandi — Thu, 02 May 2024 11:25:53 GMT

as you mentioned other ASA working, what Code is that ?

if you do the same test and post the debug here from working one ?

[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed

in the path do you have any other Firewall , or any Windows firewall

May be check on the Server and run some more packet catpture and see what is wrong ?

I have seen some bug, that should not effecti this verison of code running :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 14:01:43 GMT

Here's a successful authentication from the original firewall:

INFO: Attempting Authentication test to IP address (10.100.100.4) (timeout: 22 seconds) [-2147483646] Session Start [-2147483646] New request Session, context 0x00007fa56e336400, reqType = Authentication [-2147483646] Fiber started [-2147483646] Creating LDAP context with uri=ldaps://10.100.100.4:636 [-2147483646] Connect to LDAP server: ldaps://10.100.100.4:636, status = Successful [-2147483646] supportedLDAPVersion: value = 3 [-2147483646] supportedLDAPVersion: value = 2 [-2147483646] Binding as My Admin [-2147483646] Performing Simple authentication for My Admin to 10.100.100.4 [-2147483646] LDAP Search: Base DN = [dc=root, dc=mydomain, dc=org] Filter = [sAMAccountName=myadmin] Scope = [SUBTREE] [-2147483646] User DN = [CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org] [-2147483646] Talking to Active Directory server 10.100.100.4 [-2147483646] Reading password policy for myadmin, dn:CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org [-2147483646] Read bad password count 0 [-2147483646] Binding as myadmin [-2147483646] Performing Simple authentication for myadmin to 10.100.100.4 [-2147483646] Processing LDAP response for user myadmin [-2147483646] Message (myadmin): [-2147483646] Authentication successful for myadmin to 10.100.100.4 [-2147483646] Retrieved User Attributes: [-2147483646] objectClass: value = top [-2147483646] objectClass: value = person [-2147483646] objectClass: value = organizationalPerson [-2147483646] objectClass: value = user [-2147483646] cn: value = My Admin [-2147483646] sn: value = Auth [-2147483646] description: value = Used for ASA VPN and Wireless Authentication - DO NOT DELETE [-2147483646] givenName: value = Cisco [-2147483646] distinguishedName: value = CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org [-2147483646] instanceType: value = 4 [-2147483646] whenCreated: value = 20141220225932.0Z [-2147483646] whenChanged: value = 20240430135447.0Z [-2147483646] displayName: value = My Admin [-2147483646] uSNCreated: value = 20223 [-2147483646] memberOf: value = CN=Domain Admins,CN=Users,DC=root,DC=mydomain,DC=org [-2147483646] uSNChanged: value = 8295504 [-2147483646] name: value = My Admin [-2147483646] objectGUID: value = o..../.A./g...qb [-2147483646] userAccountControl: value = 66048 [-2147483646] badPwdCount: value = 0 [-2147483646] codePage: value = 0 [-2147483646] countryCode: value = 0 [-2147483646] badPasswordTime: value = 133591008782225124 [-2147483646] lastLogon: value = 133591008978803743 [-2147483646] pwdLastSet: value = 130635899729387577 [-2147483646] primaryGroupID: value = 513 [-2147483646] objectSid: value = .............f...L.?f)Jq.... [-2147483646] adminCount: value = 1 [-2147483646] accountExpires: value = 9223372036854775807 [-2147483646] logonCount: value = 1 [-2147483646] sAMAccountName: value = myadmin [-2147483646] sAMAccountType: value = 805306368 [-2147483646] userPrincipalName: value = myadmin@root.mydomain.org [-2147483646] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=root,DC=mydomain,DC=org [-2147483646] dSCorePropagationData: value = 20220105234128.0Z [-2147483646] dSCorePropagationData: value = 20210402000553.0Z [-2147483646] dSCorePropagationData: value = 20210401211313.0Z [-2147483646] dSCorePropagationData: value = 16010101000000.0Z [-2147483646] mS-DS-ConsistencyGuid: value = o..../.A./g...qb [-2147483646] lastLogonTimestamp: value = 133589588874166367 [-2147483646] Fiber exit Tx=565 bytes Rx=2960 bytes, status=1 [-2147483646] Session End INFO: Authentication Successful FW1# und

Re: ASA integration with Active Directory using LDAPS

MHM Cisco World — Thu, 02 May 2024 14:20:06 GMT

Just simple note we talk about ldaps or ldap

Ldap need ssl between asa and AD' and ldap is run over ssl

Ldap not need ssl

So first thing we need to check ssl

MHM

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 14:18:34 GMT

Not sure I follow. LDAP from ASA to AD is working fine. When I try to switch to LDAPS (using "server-port 636" and "ldap-over-ssl enable") it fails.

Re: ASA integration with Active Directory using LDAPS

MHM Cisco World — Thu, 02 May 2024 14:23:42 GMT

Debug http 255 <- share this when you use ldaps

MHM

Re: ASA integration with Active Directory using LDAPS

balaji.bandi — Thu, 02 May 2024 15:37:41 GMT

as you mentioned other ASA working, what Code is that ?

what is the IP address of the ASA working, what is the new ASA IP address ?

the one success - .4

uri=ldaps://10.100.100.4:636

the one failing .5 (can you configiure .4 and test on new ASA ?

uri=ldaps://10.100.100.5:636

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 16:18:27 GMT

I had the same issue when testing against 10.100.100.4 on the new ASA. When I enabled http debug as well I get this:

ciscoasav01# test aaa-server authentication LDAP host 10.100.100.5 userna$
Password: HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
****************
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)

[-2147483626] Session Start
[-2147483626] New request Session, context 0x00007f1eb01da658, reqType = Authentication
[-2147483626] Fiber started
[-2147483626] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483626] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483626] Unable to read rootDSE. Can't contact LDAP server.
[-2147483626] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483626] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

Re: ASA integration with Active Directory using LDAPS

balaji.bandi — Thu, 02 May 2024 16:22:23 GMT

i still see 10.100.100.5 - can you configure 10.100.100.4 and psot the debug

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 16:38:40 GMT

I pulled 100.4 out for now, but here is the debug I pulled while testing against it last night:

ciscoasav01(config)# debug ldap 255
debug ldap enabled at level 255

ciscoasav01(config)# debug ldap 255
ciscoasav01(config)# test aaa-server authentication LDAP host 10.220.100.4 username ittest password mypassword
INFO: Attempting Authentication test to IP address (10.220.100.4) (timeout: 20 seconds)

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldaps://10.220.100.4:636
[-2147483641] TLS Connection to LDAP server: ldaps://10.220.100.4:636, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483641] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

ciscoasav01(config)#

Re: ASA integration with Active Directory using LDAPS

MHM Cisco World — Thu, 02 May 2024 16:52:26 GMT

friend again the SSL need cert. and root CA to work, it not simply use password

MHM

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 16:53:55 GMT

I have the root CA imported into the ASA CA certificates. The DC (100.4) is also the Certificate Authority.

Re: ASA integration with Active Directory using LDAPS

MHM Cisco World — Thu, 02 May 2024 17:05:59 GMT

but Root CA cert not use via auth you need I think one more cert

check work ASA see how many Cert it have

MHM

Re: ASA integration with Active Directory using LDAPS

mumbles202 — Thu, 02 May 2024 17:39:24 GMT

On the working unit I don't see the certificate for the internal CA; actually the only certificates are see are 3rd party CAs from well-known sources and the identity certificates for the firewall.

Re: ASA integration with Active Directory using LDAPS

MHM Cisco World — Thu, 02 May 2024 17:45:05 GMT

this answer your Q

the Server use Identity Cert Issue by 3rd party CA and work ASA use it to connect to Server via SSL.
make double check in server see which Cert. it use and issue of this cert.

Goodluck friend

MHM