asa -aaa

elite2010 · ‎05-23-2017

Hi,
I have an external authentication server , the configuration below

aaa-server test protocol ldap
aaa-server test (Outside) host testserver.com
timeout 60
server-port 636
ldap-base-dn dc=xxxxxxxxxxxxxxx,dc=testserver,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=xxxxxxxxxxxxx,dc=testserver,dc=com
ldap-over-ssl enable

I have internal dns server running , for resolving dns domain-lookup enabled on Inside interface
dns domain-lookup Inside

for some reason the authentication not working ,

I have captured the traffic to the reomote ldaps sever (output sanitized )

interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.252

TestServer.com : 2.2.2.2
!

Thanks

Marvin Rhoads · ‎05-24-2017

It appears your pcap only got part of the session. From what I can see it seems that SSL is never establishing properly.

Are you sure the LDAPS server is able to accept SSL sessions from clients?

Is any other client connecting to it via LDAPS?

Perhaps you can do a capture at the server end and open up the SSL handshake details in the decode.

elite2010 · ‎05-24-2017

Hi

"From what I can see it seems that SSL is never establishing properly.".

AAA server is using entrust certificate

This might be the ROOT CA (entrust ) not installed (TrustPoint ) in ASA

Thanks

Marvin Rhoads · ‎05-25-2017

That cold very well be the case.

The detailed protocol decode of SSL handshake might show you conclusively what is happening. (or a debug on the ASA although they can be more challenging to interpret as they are so verbose and all plain text)