05-23-2017 11:34 PM - edited 03-11-2019 12:44 AM
Hi,
I have an external authentication server , the configuration below
aaa-server test protocol ldap
aaa-server test (Outside) host testserver.com
timeout 60
server-port 636
ldap-base-dn dc=xxxxxxxxxxxxxxx,dc=testserver,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=xxxxxxxxxxxxx,dc=testserver,dc=com
ldap-over-ssl enable
I have internal dns server running , for resolving dns domain-lookup enabled on Inside interface
dns domain-lookup Inside
for some reason the authentication not working ,
I have captured the traffic to the reomote ldaps sever (output sanitized )
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.252
TestServer.com : 2.2.2.2
!
Thanks
05-24-2017 03:33 AM
It appears your pcap only got part of the session. From what I can see it seems that SSL is never establishing properly.
Are you sure the LDAPS server is able to accept SSL sessions from clients?
Is any other client connecting to it via LDAPS?
Perhaps you can do a capture at the server end and open up the SSL handshake details in the decode.
05-24-2017 02:27 PM
Hi
"From what I can see it seems that SSL is never establishing properly.".
AAA server is using entrust certificate
This might be the ROOT CA (entrust ) not installed (TrustPoint ) in ASA
Thanks
05-25-2017 01:03 AM
That cold very well be the case.
The detailed protocol decode of SSL handshake might show you conclusively what is happening. (or a debug on the ASA although they can be more challenging to interpret as they are so verbose and all plain text)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide