Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2340
Views
20
Helpful
9
Replies

LDAP does not working on cisco ASA

Go to solution
Robo.Srobo
Level 1
Level 1

‎06-02-2022 12:36 AM

Hi everyone.

 

After upgrade cisco ASA version and ASDM version too, our login via LDAP does not working. Through local logins it is possible. We have got 2 Cisco ASA's in failover state. I reloaded both ASA's, restore old config, check configuration of AAA Server Groups. Command "debug ldap 255" did show failed communication on AD server with LDAPS port 636, but when I had tried TCP communication to IP address of AD server with 636 port via Ping tool from ASA, everything was fine. Does anybody know where is problem please?

Before upgrade LDAP did work.

 

Thanks

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendra Kumar
Spotlight
Spotlight
In response to Robo.Srobo

‎06-02-2022 02:18 AM

Yes it seems your issue hitting below bug as you are using LDAP over SSL ( ldap-over-ssl enable )

 

check your new ASA version must be meet this Bug..

 

If its meets you need to revert back or choose another version that fixed this issue. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190

 

Thanks,

Jitendra

 

Thanks,
Jitendra

View solution in original post

9 Replies 9

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎06-02-2022 01:14 AM - edited ‎06-02-2022 01:30 AM

Can you please share the LDAP config here?

 

you are trying to authenticate LDAP with TLS ?

 

also share the old and new versions on ASA.

 

I am also not sure if issue meet with below bug..

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190

 

Thanks,

Jitendra

Thanks,
Jitendra

Go to solution
Robo.Srobo
Level 1
Level 1
In response to Jitendra Kumar

‎06-02-2022 01:57 AM

ldap attribute-map Group-Check-ASA
 map-name memberOf IETF-Radius-Service-Type
 map-value memberOf "CN=CiscoASA Admins,OU=Users,OU=FNTN,DC=fntn,DC=sk" 6
aaa-server LDAP_ASA protocol ldap
aaa-server LDAP_ASA (inside) host 172.30.60.200
server-port 636
ldap-base-dn DC=fntn,DC=sk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn CN=***,OU=Users,OU=FNTN,DC=fntn,DC=sk
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map Group-Check-ASA
aaa-server LDAP_ASA (inside) host 172.30.60.201
timeout 20
server-port 636
ldap-base-dn DC=fntn,DC=sk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn CN=***,OU=Users,OU=FNTN,DC=fntn,DC=sk
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map Group-Check-ASA

user-identity default-domain LOCAL
aaa authentication http console LDAP_ASA LOCAL
aaa authentication ssh console LDAP_ASA LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server auto-enable
aaa authentication login-history

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Robo.Srobo

‎06-02-2022 02:00 AM - edited ‎06-02-2022 02:02 AM

what ASA version were you prior to upgrade? what version you running now?

 

seems like you hitting a bug CSCus71190

please do not forget to rate.
0 Helpful

Go to solution
Robo.Srobo
Level 1
Level 1
In response to Sheraz.Salim

‎06-02-2022 02:14 AM

 

old version of ASA: 9-12-4-18 

new version of ASA: 9-14-4-7

 

also old version of ASDM: 7-15(1)150

new ASDM: 7-17(1)152

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Robo.Srobo

‎06-02-2022 03:15 AM

I do not think you hitting this bug CSCus71190 as you already marked it answered. as cisco bug tool clearly mentioned this fix is fixed in version 9.5.1. In your case you were 9.12 it was working and you went to 9.14 and it stop working. Cisco relase notes 9.14 does not mentioned if this bug is return.

please do not forget to rate.
0 Helpful

Go to solution
Robo.Srobo
Level 1
Level 1
In response to Sheraz.Salim

‎06-02-2022 04:58 AM

So I will check AD servers if they uses TLS 1.2.

0 Helpful

Go to solution
Jitendra Kumar
Spotlight
Spotlight
In response to Robo.Srobo

‎06-02-2022 02:18 AM

Yes it seems your issue hitting below bug as you are using LDAP over SSL ( ldap-over-ssl enable )

 

check your new ASA version must be meet this Bug..

 

If its meets you need to revert back or choose another version that fixed this issue. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190

 

Thanks,

Jitendra

 

Thanks,
Jitendra

Go to solution
Robo.Srobo
Level 1
Level 1
In response to Jitendra Kumar

‎06-02-2022 02:26 AM

Thank you. This is correct answer.

0 Helpful

Go to solution
Robo.Srobo
Level 1
Level 1
In response to Jitendra Kumar

‎06-02-2022 02:14 AM

Just SSL

 

old version of ASA: 9-12-4-18 

new version of ASA: 9-14-4-7

 

also old version of ASDM: 7-15(1)150

new ASDM: 7-17(1)152

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card