Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8490
Views
6
Helpful
10
Replies

FMC External Authentication using LDAPs

Go to solution
mumbles202
Level 5
Level 5

‎04-16-2020 08:30 AM

I've setup the FMC (6.5.0.4) to use LDAP and that is working, but when i try to get LDAPS setup for authentication to the FMC itself it fails.  On the section when you choose the certificate I'm able to import the root CA, but when I go to test I get a warning that no certificate was selected.  Also, I should be using the hostnames of the domain controllers if I'm doing ssl or tls correct?  And will the root CA be sufficient or do I need to import a certifcate from both the primary and backup domain controllers so either can be used?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2020 09:05 AM - edited ‎04-16-2020 09:11 AM

I am also using 6.5.0.4 and it works for me

 

ldap.PNG

 

Provide a screenshot of the error you receive.

 

If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but servername.domain.com in the certificate, the connection fails.

 

Ensure you specifiy TLS not SSL

 

Uploading the root certificate should be sufficient.

 

HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎04-16-2020 02:32 PM - edited ‎04-16-2020 02:48 PM

Why must you use SSL and not TLS? SSL is depreciated.

 

When I test using SSL on port 636, I successfully connect. A packet capture confirms that the connection was actually established using TLS, even though SSL was specified.


If you use TLS on port 389 then you are using StartTLS. Run a packet capture and you will see the initial connection on LDAP, followed by a TLS handshake and subsequent data transfer is encrypted. Or you can run LDAPS on port 636, both StartTLS and LDAPS are secure and encrypt the communication.

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2020 09:05 AM - edited ‎04-16-2020 09:11 AM

I am also using 6.5.0.4 and it works for me

 

ldap.PNG

 

Provide a screenshot of the error you receive.

 

If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but servername.domain.com in the certificate, the connection fails.

 

Ensure you specifiy TLS not SSL

 

Uploading the root certificate should be sufficient.

 

HTH

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-16-2020 10:10 AM

Thanks.  Yes, LDAP using 389 works.  It's when i change it to SSL and upload the root CA it fails to save. I can try changing the hostname to the FQDN and using TLS instead.  The root CA has a different name since the CA isn't on the domain controller.  Would that cause any issues?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎04-16-2020 10:21 AM

The hostname/FQDN you use has to match the common name as defined in the certificate that is installed on the domain controller(s).
0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-16-2020 01:27 PM

So TLS works w/o any issues.  It's just the SSL over 636 that I can't get going.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎04-16-2020 02:32 PM - edited ‎04-16-2020 02:48 PM

Why must you use SSL and not TLS? SSL is depreciated.

 

When I test using SSL on port 636, I successfully connect. A packet capture confirms that the connection was actually established using TLS, even though SSL was specified.


If you use TLS on port 389 then you are using StartTLS. Run a packet capture and you will see the initial connection on LDAP, followed by a TLS handshake and subsequent data transfer is encrypted. Or you can run LDAPS on port 636, both StartTLS and LDAPS are secure and encrypt the communication.

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎04-16-2020 03:28 PM

Thanks.  I set it up using TLS and 389 and confirmed working so will leave it as is.  I appreciate the assistance.

0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to mumbles202

‎09-14-2020 02:22 PM

So this was working fine but stopped working as of this morning.  It was confirmed that it worked Friday but when trying to login this morning LDAP users are failing to login.  No changes were made to either the DC or the FMC over the weekend.

0 Helpful

Go to solution
chong00011
Level 1
Level 1

‎05-17-2021 06:16 AM

I dont know if you solve this or not. but i have the same issue with external auth using LDAPS with certificate. the issue is the cert. it need to be PEM file. your server cert and sub ca or root ca. export the cert on the server as base. open them and copy the content in there to a file and save it as PEM. 

0 Helpful

Go to solution
Knassi
Level 1
Level 1

‎06-13-2023 10:54 AM

I wanted to follow up on this. Someone mentioned that the certificate must match the IP of name of the DC server. How does on verify that. I am having issues connecting and i think the certificate i am using is wrong. How do i verify that? 

0 Helpful

Go to solution
chong00011
Level 1
Level 1
In response to Knassi

‎06-15-2023 03:16 PM

The certificate must match the FQDN of the domain controller not ip address.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card