05-02-2024 03:37 AM
Setting up a new ASA running 9.18 and trying to tie it into AD. This is replacing an existing ASA that was previously connected to AD using LDAPS. On rhe new ASA I can do test authentication without any issue if I use port 389, but once I switch to 636 it fails. On the old firewalls I can do the authentication using either 389 or 636.
Not sure if I missed a step and can't seem to find documentation on using 636 anymore. I tried importing the root CA certificate ( which happens to be on a DC) but that didn't fixed it.
Any insight would be appreciated.
05-02-2024 03:45 AM
if the configuration goodand you imported the certs also - then run the debiug
debug ldap and see what is wrong ?
as you mentioned other ASA working, what Code is that ?
check below thead also can help you :
https://community.cisco.com/t5/network-security/asa-5505-ca-certificate-for-ldaps/td-p/3376664
05-02-2024 04:06 AM
Thanks for the quick response. When I do a debug ldap 255 I get this:
ciscoasav01(config)# test aaa-server authentication LDAP host 10.100.100.$
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)
[-2147483639] Session Start
[-2147483639] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483639] Unable to read rootDSE. Can't contact LDAP server.
[-2147483639] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483639] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
05-02-2024 04:25 AM
as you mentioned other ASA working, what Code is that ?
if you do the same test and post the debug here from working one ?
[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
in the path do you have any other Firewall , or any Windows firewall
May be check on the Server and run some more packet catpture and see what is wrong ?
I have seen some bug, that should not effecti this verison of code running :
05-02-2024 07:01 AM
Here's a successful authentication from the original firewall:
INFO: Attempting Authentication test to IP address (10.100.100.4) (timeout: 22 seconds)
[-2147483646] Session Start
[-2147483646] New request Session, context 0x00007fa56e336400, reqType = Authentication
[-2147483646] Fiber started
[-2147483646] Creating LDAP context with uri=ldaps://10.100.100.4:636
[-2147483646] Connect to LDAP server: ldaps://10.100.100.4:636, status = Successful
[-2147483646] supportedLDAPVersion: value = 3
[-2147483646] supportedLDAPVersion: value = 2
[-2147483646] Binding as My Admin
[-2147483646] Performing Simple authentication for My Admin to 10.100.100.4
[-2147483646] LDAP Search:
Base DN = [dc=root, dc=mydomain, dc=org]
Filter = [sAMAccountName=myadmin]
Scope = [SUBTREE]
[-2147483646] User DN = [CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org]
[-2147483646] Talking to Active Directory server 10.100.100.4
[-2147483646] Reading password policy for myadmin, dn:CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] Read bad password count 0
[-2147483646] Binding as myadmin
[-2147483646] Performing Simple authentication for myadmin to 10.100.100.4
[-2147483646] Processing LDAP response for user myadmin
[-2147483646] Message (myadmin):
[-2147483646] Authentication successful for myadmin to 10.100.100.4
[-2147483646] Retrieved User Attributes:
[-2147483646] objectClass: value = top
[-2147483646] objectClass: value = person
[-2147483646] objectClass: value = organizationalPerson
[-2147483646] objectClass: value = user
[-2147483646] cn: value = My Admin
[-2147483646] sn: value = Auth
[-2147483646] description: value = Used for ASA VPN and Wireless Authentication - DO NOT DELETE
[-2147483646] givenName: value = Cisco
[-2147483646] distinguishedName: value = CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] instanceType: value = 4
[-2147483646] whenCreated: value = 20141220225932.0Z
[-2147483646] whenChanged: value = 20240430135447.0Z
[-2147483646] displayName: value = My Admin
[-2147483646] uSNCreated: value = 20223
[-2147483646] memberOf: value = CN=Domain Admins,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] uSNChanged: value = 8295504
[-2147483646] name: value = My Admin
[-2147483646] objectGUID: value = o..../.A./g...qb
[-2147483646] userAccountControl: value = 66048
[-2147483646] badPwdCount: value = 0
[-2147483646] codePage: value = 0
[-2147483646] countryCode: value = 0
[-2147483646] badPasswordTime: value = 133591008782225124
[-2147483646] lastLogon: value = 133591008978803743
[-2147483646] pwdLastSet: value = 130635899729387577
[-2147483646] primaryGroupID: value = 513
[-2147483646] objectSid: value = .............f...L.?f)Jq....
[-2147483646] adminCount: value = 1
[-2147483646] accountExpires: value = 9223372036854775807
[-2147483646] logonCount: value = 1
[-2147483646] sAMAccountName: value = myadmin
[-2147483646] sAMAccountType: value = 805306368
[-2147483646] userPrincipalName: value = myadmin@root.mydomain.org
[-2147483646] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=root,DC=mydomain,DC=org
[-2147483646] dSCorePropagationData: value = 20220105234128.0Z
[-2147483646] dSCorePropagationData: value = 20210402000553.0Z
[-2147483646] dSCorePropagationData: value = 20210401211313.0Z
[-2147483646] dSCorePropagationData: value = 16010101000000.0Z
[-2147483646] mS-DS-ConsistencyGuid: value = o..../.A./g...qb
[-2147483646] lastLogonTimestamp: value = 133589588874166367
[-2147483646] Fiber exit Tx=565 bytes Rx=2960 bytes, status=1
[-2147483646] Session End
INFO: Authentication Successful
FW1# und
05-02-2024 07:10 AM - edited 05-02-2024 07:20 AM
Just simple note we talk about ldaps or ldap
Ldap need ssl between asa and AD' and ldap is run over ssl
Ldap not need ssl
So first thing we need to check ssl
MHM
05-02-2024 07:18 AM
Not sure I follow. LDAP from ASA to AD is working fine. When I try to switch to LDAPS (using "server-port 636" and "ldap-over-ssl enable") it fails.
05-02-2024 07:23 AM
Debug http 255 <- share this when you use ldaps
MHM
05-02-2024 08:37 AM
as you mentioned other ASA working, what Code is that ?
what is the IP address of the ASA working, what is the new ASA IP address ?
the one success - .4
uri=ldaps://10.100.100.4:636
the one failing .5 (can you configiure .4 and test on new ASA ?
uri=ldaps://10.100.100.5:636
05-02-2024 09:17 AM - edited 05-02-2024 09:18 AM
I had the same issue when testing against 10.100.100.4 on the new ASA. When I enabled http debug as well I get this:
ciscoasav01# test aaa-server authentication LDAP host 10.100.100.5 userna$
Password: HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
****************
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)
[-2147483626] Session Start
[-2147483626] New request Session, context 0x00007f1eb01da658, reqType = Authentication
[-2147483626] Fiber started
[-2147483626] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483626] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483626] Unable to read rootDSE. Can't contact LDAP server.
[-2147483626] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483626] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
05-02-2024 09:22 AM
i still see 10.100.100.5 - can you configure 10.100.100.4 and psot the debug
05-02-2024 09:38 AM
I pulled 100.4 out for now, but here is the debug I pulled while testing against it last night:
ciscoasav01(config)# debug ldap 255
debug ldap enabled at level 255
ciscoasav01(config)# debug ldap 255
ciscoasav01(config)# test aaa-server authentication LDAP host 10.220.100.4 username ittest password mypassword
INFO: Attempting Authentication test to IP address (10.220.100.4) (timeout: 20 seconds)
[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldaps://10.220.100.4:636
[-2147483641] TLS Connection to LDAP server: ldaps://10.220.100.4:636, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483641] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
ciscoasav01(config)#
05-02-2024 09:52 AM
friend again the SSL need cert. and root CA to work, it not simply use password
MHM
05-02-2024 09:53 AM
I have the root CA imported into the ASA CA certificates. The DC (100.4) is also the Certificate Authority.
05-02-2024 10:05 AM
but Root CA cert not use via auth you need I think one more cert
check work ASA see how many Cert it have
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide