topic Re: FTD issue with Anyconnect authenticating via AD in Network Security

FTD issue with Anyconnect authenticating via AD

carl_townshend — Fri, 20 Dec 2024 10:03:42 GMT

Hi Guys

I am having an issue authenticating users on our anyconnect to our LDAP servers.

The users and groups show on the realm in CDO and the test to the server connects successfully.

The issue arises when I try to log into Anyconnect, I put in the password and it just fails.

I have done a debug on the firewall and I am seeing the below

%FTD-7-725013: SSL server inside:172.24.35.2/28482 to 172.24.32.50/636 chooses cipher ECDHE-RSA-AES256-GCM-SHA384
%FTD-7-717025: Validating certificate chain containing 2 certificate(s).
%FTD-7-717029: Identified client certificate within certificate chain. serial number: XXXXXXXXXXXXXXXXXX, subject name: CN=DC01.XXX
%FTD-3-717009: Certificate validation failed. serial number: 4000000006F7AC1F67376FB64D000000000006, subject name: CN=XXX-Issuing-CA,DC=XXX,DC=XXX.
%FTD-3-717027: Certificate chain failed validation. Generic validation failure occurred.
%FTD-7-725014: SSL lib error. Function: tls_process_client_certificate Reason: certificate verify failed
%FTD-6-113014: AAA authentication server not accessible : server = 172.24.32.50 : user = *****
%FTD-2-113022: AAA Marking LDAP server XXX in aaa-server group XXX as FAILED
%FTD-2-113023: AAA Marking LDAP server 172.24.32.50 in aaa-server group XXX as ACTIVE
%FTD-6-302014: Teardown TCP connection 942107 for inside:172.24.32.50/636 to identity:172.24.35.2/28482 duration 0:00:00 bytes 438 TCP Reset-O from identity
%FTD-7-711001: [107] TLS Connection to LDAP server: ldaps://172.24.32.50:636, status = Failed
%FTD-7-710005: TCP request discarded from 172.24.32.50/636 to inside:172.24.35.2/28482
%FTD-7-711001: [107] Unable to read rootDSE. Can't contact LDAP server.
%FTD-7-711001: callback_aaa_task: status = -3, msg =
%FTD-7-711001: [67] AAA FSM: In aaa_backend_callback
%FTD-7-711001: aaa_backend_callback: Handle = 67, pAcb = 0x000014b4eacf7640
%FTD-7-711001: [107] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
%FTD-7-711001: [107] Session End
%FTD-7-711001: AAA task: aaa_process_msg(0x000014b4c56e5b10) received message type 1
%FTD-7-711001: [67] AAA FSM: In AAA_ProcSvrResp

Can anyone help here please? I am really struggling to sort this

Re: FTD issue with Anyconnect authenticating via AD

Rob Ingram — Fri, 20 Dec 2024 10:18:36 GMT

@carl_townshend from your logs "%FTD-3-717009: Certificate validation failed."

Do both the FTD and anyconnect clients trust the CA? For the FTD you will need to create a trustpoint with the Inter/Root CA and enrol on the FTD. The anyconnect client will need to have the Inter/Root CA distributed by GPO.

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs8.html

717009

Error Message %FTD-3-717009: Certificate validation failed. Reason: reason_string .

Explanation A certificate validation failed, which might be caused by a validation attempt of a revoked certificate, invalid certificate attributes, or configuration issues.

reason_string —The reason that the certificate validation failed

Recommended Action Make sure the configuration has a valid trustpoint configured for validation if the reason indicates that no suitable trustpoints were found. Check the Secure Firewall Threat Defense device time to ensure that it is accurate relative to the certificate authority time. Check the reason for the failure and correct any issues that are indicated. If certificate validation fails due to the CA key size being too small or a weak crypto being used, you can use the enable weak crypto option for the device in the management center to override these restrictions.

Re: FTD issue with Anyconnect authenticating via AD

carl_townshend — Fri, 20 Dec 2024 10:58:36 GMT

Hi Rob

The FTD has a public cert applied for the anyconnect clients to connect from outside.

I have also added the internal root CA cert to it for our internal domain, this is where the LDAP server sits.

I think the issue is somewhere with the internal cert when talking to the internal LDAP server.

As you can see below, there are 2 certs applied to the FTD, one public for the Anyconnect, the other one is internal CA root for the LDAP

What am I missing here ?

Re: FTD issue with Anyconnect authenticating via AD

Rob Ingram — Fri, 20 Dec 2024 11:28:56 GMT

You've got the internal root cert on the FTD, but no intermediate. Do you have an intermediate root CA cert that you need on the FTD?

Re: FTD issue with Anyconnect authenticating via AD

carl_townshend — Fri, 20 Dec 2024 11:49:52 GMT

Hi, I do have a copy of the full chain, should I delete the existing internal root CA and replace with that ?

Re: FTD issue with Anyconnect authenticating via AD

Rob Ingram — Fri, 20 Dec 2024 11:54:48 GMT

You can just add the intermediate as another trustpoint and enrol on the FTD.

Re: FTD issue with Anyconnect authenticating via AD

carl_townshend — Fri, 20 Dec 2024 14:26:09 GMT

Hi Rob, this seems have done the trick, thanks for that, I added to the LDAP directory as well as device certificates.

Is it a requirement that it has the full / intermediate also ? I could not see that anywhere in any documentation