Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4463
Views
5
Helpful
2
Replies

ASA 5505 - CA Certificate for LDAPS

Go to solution
Keef
Level 1
Level 1

‎05-02-2018 06:59 AM - edited ‎02-21-2020 07:41 AM

Good afternoon!

 

I have an ASA 5505 which is connected to an Active Directory DC for AAA via LDAP. I want to move to LDAPS.

 

I have a local CA that provides the DC with its DC cert (for LDAPS). LDAPS is working fine with several other devices on the network. Unfortunately, the ASA refuses to accept the DC's certificate.

 

I have added the CA certificate to Configuration -> Device Management -> Certificate Management -> CA Certificates. I have tried both PKC and PEM format. The certificate loads into the ASA fine, but the LDAPS connection fails once the DC sends it's cert to the ASA (confirmed with packet captures).

 

Any ideas why it's not trusting the DCs cert?

 

The firewall is an ASA 5505 running IOS 9.2(4).

 

Thank you!!

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Keef
Level 1
Level 1
In response to Rob Ingram

‎05-22-2018 09:15 AM

I figured out the problem!

 

I was correctly configuring the CA certificates (ASDM: Configuration -> Remote Access VPN -> Certificate Management -> CA Certificates).

 

The issue appears to be poor encryption algorithm fallback handling on the ASA: I disabled all unnecessary encryption algorithms and the LDAPS AAA connection is now working as expected (ASDM: Configuration -> Remote Access VPN -> Advanced -> SSL Settings).

View solution in original post

Preview file
81 KB
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-02-2018 10:50 AM

Hi,

This post here describes how to configure a trustpoint on the ASA, it does go in to more depth regarding setting up a VPN which you don't need, but the procedure to configure the trustpoint is the same. The CA certificate that is imported (authenticated) obviously needs to be the same CA that is used in AD.

 

HTH

0 Helpful

Go to solution
Keef
Level 1
Level 1
In response to Rob Ingram

‎05-22-2018 09:15 AM

I figured out the problem!

 

I was correctly configuring the CA certificates (ASDM: Configuration -> Remote Access VPN -> Certificate Management -> CA Certificates).

 

The issue appears to be poor encryption algorithm fallback handling on the ASA: I disabled all unnecessary encryption algorithms and the LDAPS AAA connection is now working as expected (ASDM: Configuration -> Remote Access VPN -> Advanced -> SSL Settings).

Preview file
81 KB
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card