Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3303
Views
0
Helpful
3
Replies

LDAP bind error when adding realm to ftd 2020

Jaampe
Level 1
Level 1

‎02-11-2020 06:03 AM - edited ‎02-21-2020 09:54 AM

Hi all, hoping you can help:

 

FMC 6.5

Trying to configure FTDs2020 to add an realm but rather than use AD we're trying to use LDAP however it won't work regardless of what we do. The same configuration when adding the realm as AD works no problem.

 

When we add the LDAP server directory the test fails with "Management Center-server connection failed. Check your directory hostname/IP address, username, and password."

If we go into the user download tab we can see all the groups pulled from LDAP but it fails when we try to download them so it is polling the AD server fine.

We've tried multiple variations of the username such as:

domain\username

username@domain

uid=username,dc..etc etc

None of these allow it to work.

LDAP binding works from a pc/server with the credentials so it's definitely something with the FMC...

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎02-11-2020 06:24 AM

Hi,

I don't think it is possible.

 

If you have the realm Type configured incorrectly, users and groups cannot be downloaded because of a mismatch between the attribute the Firepower system expects and what the repository provides. For example, if you configure Type as LDAP for a Microsoft Active Directory realm, the Firepower system expects the uid attribute, which is set to none on Active Directory. (Active Directory repositories use sAMAccountName for the user ID.)

 

 

Solution: Set the realm Type field appropriately: AD for Microsoft Active Directory or LDAP for another supported LDAP repository.

 

What is the specific reason why you want to define the AD realm as LDAP?

 

0 Helpful

Jaampe
Level 1
Level 1
In response to Rob Ingram

‎02-11-2020 07:45 AM

Thank you for the response.

 

I'm trying to work around the limitation in only being able to set up one realm to a single primary domain. We have a realm set up already with AD integration for our remote access VPN authentication with a specific RA VPN Ad group created with those who are allowed access. I want to create a realm for broader identity reasons across the network, policies based on user groups etc so I need the realm setting to the same domain as it is currently but with all users and groups included rather than just the VPN one.

I'm guessing we're going to make the realm include the whole domain and then therefore allow anyone to authenticate to anyconnect but then restrict everyone outside the RA VPN AD group to have no access coming through the VPN via a policy.

0 Helpful

Rob Ingram
VIP
VIP
In response to Jaampe

‎02-11-2020 07:51 AM

@Jaampe wrote:

I'm guessing we're going to make the realm include the whole domain and then therefore allow anyone to authenticate to anyconnect but then restrict everyone outside the RA VPN AD group to have no access coming through the VPN via a policy.

Yes, that's what I would do.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card