cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1428
Views
0
Helpful
2
Replies

Firepower Management Center LDAP/CAC configuration

Eric R. Jones
Level 4
Level 4

We are attempting to configure our FMC front end to allow Common Access Card (CAC) access.

At one point we were able to run the test and pull names from the AD server.

We are using TLS with a cert.

The output from the test has failures:

"Failed to issue StartTLS instruction: Connect error - 11"

 

I'm seeing a line "Current TLS Require Cert: 4".

I've googled around but can't find out what this means.

 

I was using SSL when I read that it's deprecated and switched to TLS.

I've used "none" but still failure.

 

Has anyone configured the FMC to work with CAC login?

Has anyone configured the FTD to work with CAC for SSH access?

We had it configured on our ASA via the ASDM.

 

The Primary and Backup servers are using hostname FQDN and port 389

The LDAP specific parameters is using DC=####, DC=####

No base filter

username <username>

password <password>

confirm password <password>

 

Advanced options

Encryption TLS

SSL certificate has been uploaded

user name templates that have been tried

cn=%s,dc=srf,dc=local

and

%s@####.####

Timeout is 30 seconds

 

Attribute Mapping is "userPrincipleName"

This being the name pulled from the CAC.

 

I have seen recommendations to do a packet capture.

I tried using the internal packet capture but believe this to be useful for the FTD's only.

I figured I should be using Wireshark for this.

####################################################

I did try using the "Fetch Attrs" function under Attribute Mapping.

I got a popup "Could not connect or bind to server ~".

I'll be investigating this first but would like to confirm the other items I listed above.

 

1 Accepted Solution

Accepted Solutions

Eric R. Jones
Level 4
Level 4

Ok some sleuthing from my systems counter part figured out the password for the account was expired. That's fixed and now the next error looks to be certificate related. We have one loaded but it may not be correct or complete. 

 

ej

View solution in original post

2 Replies 2

Eric R. Jones
Level 4
Level 4

Ok some sleuthing from my systems counter part figured out the password for the account was expired. That's fixed and now the next error looks to be certificate related. We have one loaded but it may not be correct or complete. 

 

ej

Once we got this part completed we had to revisit our cert.

The cert was only partially working because it didn't have the Root CA and Intermediate portions.

Those were added to the existing "cer" file and we were then able to see all the folks in AD.

We then used the Base Filter to narrow down who we wanted.

We still haven't gotten it to ask for a cert when selecting "Log in".

The /etc/httpd/ssl_certificates.conf file has the SSLVerifyClient set to optional.

Since we are using 6.6.1 that check box is no longer used.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: