Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4564
Views
0
Helpful
5
Replies

FTD Source Interface for LDAP queries

Go to solution
alex_aasen
Level 1
Level 1

‎09-22-2018 09:46 AM - edited ‎02-21-2020 08:16 AM

Hi all,

 

Is it possible to change the interface at which a FTD sources LDAP queries? 

 

I am trying to use a LDAP server which is only reachable over a S2S VPN to the main office from the remote branches, and it does not seem to work. Some remote branches have a local LDAP server which works fine when authenticating anyconnect users.

 

This is the topology:

 

AlexAnyConnectAtUABSetup.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-23-2018 07:59 AM

That's a good question and one I hadn't considered before.

 

I checked a couple of my systems and it doesn't appear to be configurable. From what I can see, your FTD device will originate the LDAP query from the egress interface chosen from the routing table. I can see how that would break authentication in the use case you mentioned.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-23-2018 07:59 AM

That's a good question and one I hadn't considered before.

 

I checked a couple of my systems and it doesn't appear to be configurable. From what I can see, your FTD device will originate the LDAP query from the egress interface chosen from the routing table. I can see how that would break authentication in the use case you mentioned.

0 Helpful

Go to solution
alex_aasen
Level 1
Level 1
In response to Marvin Rhoads

‎10-01-2018 10:16 PM

Hi,

 

We solved it by having a local RODC at the remote site. Some of my colleagues did think that it could have been solved by using FlexConfig, but that it was not really an optimal solution.

 

Br

Alex

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to alex_aasen

‎10-03-2018 07:03 PM

IMO, Flexconfig will not fix this. This is the same behavior as the ASA. The ASA always sources the LDAP query from the egress interface based on routing as Marvin mentioned in an earlier post. FTD should have inherited the same behavior. What you can do though is add an addition proxy (crypto ACL) between your FTD outside interface and remote network. This way, the traffic between your FTD outside interface and the LDAP server will be encrypted through L2L tunnel.

0 Helpful

Go to solution
Roy Harrington
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎10-03-2018 04:21 PM

I dont believe this is a valid solution.There is an enhancement that is fixed in 6.2.3 to allow RADIUS and LDAP to change interface through GUI. Before 6.2.3 you can use flex configs as shown in the enhancement request:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd22080/?reffering_site=dumpcr

 

0 Helpful

Go to solution
CalastoneIT
Level 1
Level 1
In response to Roy Harrington

‎05-07-2021 06:07 AM

At the risk of bumping an old topic, can you clarify what setting needs to be changed in order to override the default usage of mgmt0 for sourcing ldap queries for external authentication ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card