Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1282
Views
0
Helpful
3
Replies

How to use multiple interfaces for same ldap server in aaa-server

Departamento TI
Level 1
Level 1

‎09-26-2017 10:47 AM - last edited on ‎02-21-2020 11:40 PM by Community Manager

Hello, all!

 

I'm currently using DUO to authenticate VPN users, using LDAP connector.

DUO just provides 1 hostname to access their LDAP server, and I want to use redundant internet interfaces to access this.

I already have a setup with SLA and track to enable/disable routes based on network availability, but in aaa-server configuration, I need to specify an interface, and all my redundancy is gone for authentication.

I tried to set another aaa-server entry with same hostname and another interface, but ASA just ignores...

 

Any ideas on how to use 

 

See configuration example below:

 

aaa-server Duo-LDAP (outside) host api-XXXXXXXXXXX.duosecurity.com
timeout 180
server-port 636
ldap-base-dn dc=XXXXXXXXXXX,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password XXXXXXXXXXX
ldap-login-dn dc=XXXXXXXXXXX,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect

4 people had this problem
Labels:
0 Helpful
3 Replies 3

c.registration
Level 1
Level 1

‎03-28-2018 06:58 AM

Did you come up with a fix for this?  

0 Helpful

Octavian Szolga
Level 4
Level 4

‎03-28-2018 12:34 PM

Hi,

If configuring a seconary LDAP for the same server doesn't work, I think that your last option would be to use EEM. Watch for LDAP unavailable log to configure a new LDAP server connection :)

 

Thanks,

Octavian

0 Helpful

j.a.m.e.s
Level 3
Level 3

‎10-24-2022 02:07 AM - edited ‎10-24-2022 02:08 AM

This isn't a direct solution, but it may be an alternative strategy. I found this in the v9.18 release notes:

Loopback interface support for BGP and management traffic

You could potentially create a BGP peering with your network, configure a loopback (with a name) on the ASA and redistribute it into BGP. Then bind the aaa-server group to the loopback.

I haven't tested this, but it looks like a feasible option for using the same LDAP servers via multiple physical interfaces.

0 Helpful
Customers Also Viewed These Support Documents