topic ASA revocation-check crl protocol ldap: use ldaps? in Network Security

ASA revocation-check crl protocol ldap: use ldaps?

joachimj — Sun, 02 Nov 2025 14:02:26 GMT

For ASA webvpn we request a certificate from the client which is checked against an internal CA.
We have configured revocation-check with protocol ldap and it is working.

Certificate has CRL URI:

ldap:///CN=xyz.-abc-CA2(4),CN=ABC-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xyz,DC=intern?certificateRevocationList

The only problem is, that communication between ASA and LDAP Server is unencrypted and Username/Password is sent in cleartext.

: Hardware:   FPR-2120, 6572 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
:
ASA Version 9.20(3)20 

crypto ca trustpoint Internal-Trustpoint
 revocation-check crl none
 keypair Internal-Trustpoint
 validation-usage ipsec-client ssl-client ssl-server
 crl configure
  no protocol http
  no protocol scep
  ldap-dn myusr_asa *
  ldap-defaults DC1.company.internal

Is it possible to configure ASA to use ldaps?

ldap-defaults DC1.company.internal 626

does not work.

Joachim

Re: ASA revocation-check crl protocol ldap: use ldaps?

Rob Ingram — Sun, 02 Nov 2025 14:26:40 GMT

@joachimj the CRL check would not send the username/password to the LDAP server. The username/password credentials would be sent as part of AAA authentication. Have you configured the command "ldap-over-ssl enable" under the ldap protocol configuration?

aaa-server LDAP protocol <NAME>
 ldap-over-ssl enable

Re: ASA revocation-check crl protocol ldap: use ldaps?

joachimj — Sun, 02 Nov 2025 18:48:45 GMT

@Rob Ingram

In a network trace i see the bind request for CRL retrieval in cleartext.

For VPN User Login, LDAPS is used.
Configuration:

aaa-server abc-intern protocol ldap reactivation-mode depletion deadtime 1 max-failed-attempts 5 aaa-server abc-intern (xxxnet) host 10.xxx.yyy.50 timeout 5 server-port 636 ldap-base-dn DC=xyz,DC=intern ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn myusr_asa ldap-over-ssl enable ldap-attribute-map VPNMap aaa-server abc-intern (xxxnet) host 10.xxx.yyy.51 timeout 5 server-port 636 ldap-base-dn DC=xyz,DC=intern ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn myusr_asa ldap-over-ssl enable ldap-attribute-map VPNMap

Re: ASA revocation-check crl protocol ldap: use ldaps?

Aref Alsouqi — Mon, 03 Nov 2025 11:47:34 GMT

If the server supports LDAPS for the certificates check it should work. I see on the config snippet you provided you put port 626 instead of 636. Would that be the issue?

Re: ASA revocation-check crl protocol ldap: use ldaps?

joachimj — Tue, 04 Nov 2025 17:16:49 GMT

@Aref Alsouqi this was just a typo in my post.

ldap-defaults DC1.company.internal 636

Does not work. In the network trace i see that ASA opens the communication to port 636 but uses protocol ldap (not ldaps).

ASA sends bind request with cleartext Username and PW to the ldap server. Ldap server closes connection because it expects ldaps.

I dont find any place in the ASA config where i can define that ldaps should be used for crl download.

Joachim

Re: ASA revocation-check crl protocol ldap: use ldaps?

Aref Alsouqi — Tue, 04 Nov 2025 17:35:59 GMT

I see, then probably it's not supported. I've just took a look at this link and it states the ASA can retrieve CRLs over HTTP, SCEP, or LDAP. It's not mentioning anything specifically for LDAPS.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/basic-certs.html