Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
5
Replies

ASA revocation-check crl protocol ldap: use ldaps?

joachimj
Level 1
Level 1

‎11-02-2025 05:59 AM - edited ‎11-02-2025 06:02 AM

For ASA webvpn we request a certificate from the client which is checked against an internal CA.
We have configured revocation-check with protocol ldap and it is working.

Certificate has CRL URI:

ldap:///CN=xyz.-abc-CA2(4),CN=ABC-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xyz,DC=intern?certificateRevocationList

The only problem is, that communication between ASA and LDAP Server is unencrypted and Username/Password is sent in cleartext.

 

: Hardware:   FPR-2120, 6572 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
:
ASA Version 9.20(3)20 

crypto ca trustpoint Internal-Trustpoint
 revocation-check crl none
 keypair Internal-Trustpoint
 validation-usage ipsec-client ssl-client ssl-server
 crl configure
  no protocol http
  no protocol scep
  ldap-dn myusr_asa *
  ldap-defaults DC1.company.internal

Is it possible to configure ASA to use ldaps?

ldap-defaults DC1.company.internal 626

does not work.

Joachim

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-02-2025 06:26 AM

@joachimj the CRL check would not send the username/password to the LDAP server. The username/password credentials would be sent as part of AAA authentication. Have you configured the command "ldap-over-ssl enable" under the ldap protocol configuration?

aaa-server LDAP protocol <NAME>
 ldap-over-ssl enable  

 

0 Helpful

joachimj
Level 1
Level 1
In response to Rob Ingram

‎11-02-2025 10:48 AM

@Rob Ingram 

In a network trace i see the bind request for CRL retrieval in cleartext.

For VPN User Login, LDAPS is used.
Configuration:

aaa-server abc-intern protocol ldap
 reactivation-mode depletion deadtime 1
 max-failed-attempts 5
aaa-server abc-intern (xxxnet) host 10.xxx.yyy.50
 timeout 5
 server-port 636
 ldap-base-dn DC=xyz,DC=intern
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn myusr_asa
 ldap-over-ssl enable
 ldap-attribute-map VPNMap
aaa-server abc-intern (xxxnet) host 10.xxx.yyy.51
 timeout 5
 server-port 636
 ldap-base-dn DC=xyz,DC=intern
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn myusr_asa
 ldap-over-ssl enable
 ldap-attribute-map VPNMap
0 Helpful

Aref Alsouqi
VIP
VIP

‎11-03-2025 03:47 AM

If the server supports LDAPS for the certificates check it should work. I see on the config snippet you provided you put port 626 instead of 636. Would that be the issue?

0 Helpful

joachimj
Level 1
Level 1
In response to Aref Alsouqi

‎11-04-2025 09:16 AM

@Aref Alsouqi this was just a typo in my post.

ldap-defaults DC1.company.internal 636

Does not work. In the network trace i see that ASA opens the communication to port 636 but uses protocol ldap (not ldaps).

ASA sends bind request with cleartext Username and PW to the ldap server. Ldap server closes connection because it expects ldaps.

I dont find any place in the ASA config where i can define that ldaps should be used for crl download.

Joachim

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to joachimj

‎11-04-2025 09:35 AM

I see, then probably it's not supported. I've just took a look at this link and it states the ASA can retrieve CRLs over HTTP, SCEP, or LDAP. It's not mentioning anything specifically for LDAPS.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/basic-certs.html

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card