09-26-2017
10:47 AM
- last edited on
02-21-2020
11:40 PM
by
cc_security_adm
Hello, all!
I'm currently using DUO to authenticate VPN users, using LDAP connector.
DUO just provides 1 hostname to access their LDAP server, and I want to use redundant internet interfaces to access this.
I already have a setup with SLA and track to enable/disable routes based on network availability, but in aaa-server configuration, I need to specify an interface, and all my redundancy is gone for authentication.
I tried to set another aaa-server entry with same hostname and another interface, but ASA just ignores...
Any ideas on how to use
See configuration example below:
aaa-server Duo-LDAP (outside) host api-XXXXXXXXXXX.duosecurity.com
timeout 180
server-port 636
ldap-base-dn dc=XXXXXXXXXXX,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password XXXXXXXXXXX
ldap-login-dn dc=XXXXXXXXXXX,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
03-28-2018 06:58 AM
Did you come up with a fix for this?
03-28-2018 12:34 PM
Hi,
If configuring a seconary LDAP for the same server doesn't work, I think that your last option would be to use EEM. Watch for LDAP unavailable log to configure a new LDAP server connection :)
Thanks,
Octavian
10-24-2022 02:07 AM - edited 10-24-2022 02:08 AM
This isn't a direct solution, but it may be an alternative strategy. I found this in the v9.18 release notes:
Loopback interface support for BGP and management traffic
You could potentially create a BGP peering with your network, configure a loopback (with a name) on the ASA and redistribute it into BGP. Then bind the aaa-server group to the loopback.
I haven't tested this, but it looks like a feasible option for using the same LDAP servers via multiple physical interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide