ASA integration with Active Directory using LDAPS

mumbles202 · ‎05-02-2024

Setting up a new ASA running 9.18 and trying to tie it into AD. This is replacing an existing ASA that was previously connected to AD using LDAPS. On rhe new ASA I can do test authentication without any issue if I use port 389, but once I switch to 636 it fails. On the old firewalls I can do the authentication using either 389 or 636.

Not sure if I missed a step and can't seem to find documentation on using 636 anymore. I tried importing the root CA certificate ( which happens to be on a DC) but that didn't fixed it.

Any insight would be appreciated.

balaji.bandi · ‎05-02-2024

if the configuration goodand you imported the certs also - then run the debiug

debug ldap and see what is wrong ?

as you mentioned other ASA working, what Code is that ?

check below thead also can help you :

https://community.cisco.com/t5/network-security/asa-5505-ca-certificate-for-ldaps/td-p/3376664

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mumbles202 · ‎05-02-2024

Thanks for the quick response. When I do a debug ldap 255 I get this:

ciscoasav01(config)# test aaa-server authentication LDAP host 10.100.100.$
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)

[-2147483639] Session Start
[-2147483639] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483639] Unable to read rootDSE. Can't contact LDAP server.
[-2147483639] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483639] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

balaji.bandi · ‎05-02-2024

as you mentioned other ASA working, what Code is that ?

if you do the same test and post the debug here from working one ?

[-2147483639] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed

in the path do you have any other Firewall , or any Windows firewall

May be check on the Server and run some more packet catpture and see what is wrong ?

I have seen some bug, that should not effecti this verison of code running :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mumbles202 · ‎05-02-2024

Here's a successful authentication from the original firewall:

INFO: Attempting Authentication test to IP address (10.100.100.4) (timeout: 22 seconds)

[-2147483646] Session Start
[-2147483646] New request Session, context 0x00007fa56e336400, reqType = Authentication
[-2147483646] Fiber started
[-2147483646] Creating LDAP context with uri=ldaps://10.100.100.4:636
[-2147483646] Connect to LDAP server: ldaps://10.100.100.4:636, status = Successful
[-2147483646] supportedLDAPVersion: value = 3
[-2147483646] supportedLDAPVersion: value = 2
[-2147483646] Binding as My Admin
[-2147483646] Performing Simple authentication for My Admin to 10.100.100.4
[-2147483646] LDAP Search:
Base DN = [dc=root, dc=mydomain, dc=org]
Filter  = [sAMAccountName=myadmin]
Scope   = [SUBTREE]
[-2147483646] User DN = [CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org]
[-2147483646] Talking to Active Directory server 10.100.100.4
[-2147483646] Reading password policy for myadmin, dn:CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] Read bad password count 0
[-2147483646] Binding as myadmin
[-2147483646] Performing Simple authentication for myadmin to 10.100.100.4
[-2147483646] Processing LDAP response for user myadmin
[-2147483646] Message (myadmin): 
[-2147483646] Authentication successful for myadmin to 10.100.100.4
[-2147483646] Retrieved User Attributes:
[-2147483646] objectClass: value = top
[-2147483646] objectClass: value = person
[-2147483646] objectClass: value = organizationalPerson
[-2147483646] objectClass: value = user
[-2147483646] cn: value = My Admin
[-2147483646] sn: value = Auth
[-2147483646] description: value = Used for ASA VPN and Wireless Authentication - DO NOT DELETE
[-2147483646] givenName: value = Cisco
[-2147483646] distinguishedName: value = CN=My Admin,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] instanceType: value = 4
[-2147483646] whenCreated: value = 20141220225932.0Z
[-2147483646] whenChanged: value = 20240430135447.0Z
[-2147483646] displayName: value = My Admin
[-2147483646] uSNCreated: value = 20223
[-2147483646] memberOf: value = CN=Domain Admins,CN=Users,DC=root,DC=mydomain,DC=org
[-2147483646] uSNChanged: value = 8295504
[-2147483646] name: value = My Admin
[-2147483646] objectGUID: value = o..../.A./g...qb
[-2147483646] userAccountControl: value = 66048
[-2147483646] badPwdCount: value = 0
[-2147483646] codePage: value = 0
[-2147483646] countryCode: value = 0
[-2147483646] badPasswordTime: value = 133591008782225124
[-2147483646] lastLogon: value = 133591008978803743
[-2147483646] pwdLastSet: value = 130635899729387577
[-2147483646] primaryGroupID: value = 513
[-2147483646] objectSid: value = .............f...L.?f)Jq....
[-2147483646] adminCount: value = 1
[-2147483646] accountExpires: value = 9223372036854775807
[-2147483646] logonCount: value = 1
[-2147483646] sAMAccountName: value = myadmin
[-2147483646] sAMAccountType: value = 805306368
[-2147483646] userPrincipalName: value = myadmin@root.mydomain.org
[-2147483646] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=root,DC=mydomain,DC=org
[-2147483646] dSCorePropagationData: value = 20220105234128.0Z
[-2147483646] dSCorePropagationData: value = 20210402000553.0Z
[-2147483646] dSCorePropagationData: value = 20210401211313.0Z
[-2147483646] dSCorePropagationData: value = 16010101000000.0Z
[-2147483646] mS-DS-ConsistencyGuid: value = o..../.A./g...qb
[-2147483646] lastLogonTimestamp: value = 133589588874166367
[-2147483646] Fiber exit Tx=565 bytes Rx=2960 bytes, status=1
[-2147483646] Session End
INFO: Authentication Successful

FW1# und

MHM Cisco World · ‎05-02-2024

Just simple note we talk about ldaps or ldap

Ldap need ssl between asa and AD' and ldap is run over ssl

Ldap not need ssl

So first thing we need to check ssl

MHM

mumbles202 · ‎05-02-2024

Not sure I follow. LDAP from ASA to AD is working fine. When I try to switch to LDAPS (using "server-port 636" and "ldap-over-ssl enable") it fails.

MHM Cisco World · ‎05-02-2024

Debug http 255 <- share this when you use ldaps

MHM

balaji.bandi · ‎05-02-2024

as you mentioned other ASA working, what Code is that ?

what is the IP address of the ASA working, what is the new ASA IP address ?

the one success - .4

uri=ldaps://10.100.100.4:636

the one failing .5 (can you configiure .4 and test on new ASA ?

uri=ldaps://10.100.100.5:636

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mumbles202 · ‎05-02-2024

I had the same issue when testing against 10.100.100.4 on the new ASA. When I enabled http debug as well I get this:

ciscoasav01# test aaa-server authentication LDAP host 10.100.100.5 userna$
Password: HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
****************
INFO: Attempting Authentication test to IP address (10.100.100.5) (timeout: 20 seconds)

[-2147483626] Session Start
[-2147483626] New request Session, context 0x00007f1eb01da658, reqType = Authentication
[-2147483626] Fiber started
[-2147483626] Creating LDAP context with uri=ldaps://10.100.100.5:636
[-2147483626] TLS Connection to LDAP server: ldaps://10.100.100.5:636, status = Failed
[-2147483626] Unable to read rootDSE. Can't contact LDAP server.
[-2147483626] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483626] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

balaji.bandi · ‎05-02-2024

i still see 10.100.100.5 - can you configure 10.100.100.4 and psot the debug

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mumbles202 · ‎05-02-2024

I pulled 100.4 out for now, but here is the debug I pulled while testing against it last night:

ciscoasav01(config)# debug ldap 255
debug ldap enabled at level 255

ciscoasav01(config)# debug ldap 255
ciscoasav01(config)# test aaa-server authentication LDAP host 10.220.100.4 username ittest password mypassword
INFO: Attempting Authentication test to IP address (10.220.100.4) (timeout: 20 seconds)

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007f07ec3991a8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldaps://10.220.100.4:636
[-2147483641] TLS Connection to LDAP server: ldaps://10.220.100.4:636, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483641] Session End
ERROR: Authentication Server not responding: AAA Server has been removed

ciscoasav01(config)#

MHM Cisco World · ‎05-02-2024

friend again the SSL need cert. and root CA to work, it not simply use password

MHM

mumbles202 · ‎05-02-2024

I have the root CA imported into the ASA CA certificates. The DC (100.4) is also the Certificate Authority.

MHM Cisco World · ‎05-02-2024

but Root CA cert not use via auth you need I think one more cert

check work ASA see how many Cert it have

MHM