Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
10
Helpful
6
Replies

ASA AnyConnect ldap authentication works but ldaps does not

RANT
Level 1
Level 1

‎01-31-2023 05:45 AM

So I created a copy of my primary firewall HA pair which is the main AnyConnect hub. This primary pair uses ldaps to communicate with my domain controllers.

The "copies" are unable to communicate using ldaps, but work fine using ldap. Is this a Cisco config or is it something on the DCs? Here is the failure log:
[-2147483644] Session Start
[-2147483644] New request Session, context 0x00007fa080ee4b38, reqType = Authentication
[-2147483644] Fiber started
[-2147483644] Creating LDAP context with uri=ldaps://192.168.x.x:636
[-2147483644] Connect to LDAP server: ldaps://192.168.x.x:636, status = Failed
[-2147483644] Unable to read rootDSE. Can't contact LDAP server.
[-2147483644] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483644] Session End

Here is the pass using ldap:
[-2147483643] Session Start
[-2147483643] New request Session, context 0x00007fa080ee4b38, reqType = Authentication
[-2147483643] Fiber started
[-2147483643] Creating LDAP context with uri=ldap://192.168.x.x:389
[-2147483643] Connect to LDAP server: ldap://192.168.x.x:389, status = Successful
[-2147483643] defaultNamingContext: value = DC=iamawesome,DC=com
[-2147483643] supportedLDAPVersion: value = 3
[-2147483643] supportedLDAPVersion: value = 2
[-2147483643] supportedSASLMechanisms: value = GSSAPI
[-2147483643] supportedSASLMechanisms: value = GSS-SPNEGO
[-2147483643] supportedSASLMechanisms: value = EXTERNAL
[-2147483643] supportedSASLMechanisms: value = DIGEST-MD5
[-2147483643] Binding as asaadmin
[-2147483643] Performing Simple authentication for asaadmin to 192.168.x.x


Labels:
6 Replies 6

Rob Ingram
VIP
VIP

‎01-31-2023 07:24 AM - edited ‎01-31-2023 07:24 AM

@RANT does the ASA trust the certificate in use by the LDAPS server?

Run "debug crypto ca" and "debug ldap 255", test ldaps connectivity and provide the output.

0 Helpful

RANT
Level 1
Level 1
In response to Rob Ingram

‎01-31-2023 10:38 AM

RA-CORP-DC-ACVPN-FW01/sec/act# debug crypto ca
RA-CORP-DC-ACVPN-FW01/sec/act# debug ldap 255
debug ldap enabled at level 255
RA-CORP-DC-ACVPN-FW01/sec/act#
[-2147483642] Session Start
[-2147483642] New request Session, context 0x00007fa080ee4b38, reqType = Authentication
[-2147483642] Fiber started
[-2147483642] Creating LDAP context with uri=ldaps://192.168.x.x:636

SSL verify callback: Key exchange algorithm extracted from SSL Cipher
[-2147483642] Connect to LDAP server: ldaps://192.168.x.x:636, status = Failed
[-2147483642] Unable to read rootDSE. Can't contact LDAP server.
[-2147483642] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[-2147483642] Session End

0 Helpful

RANT
Level 1
Level 1
In response to RANT

‎01-31-2023 10:59 AM

Ok, so what I've found is the working firewall is running version 9.12(4)48. The firewall that fails is running version 9.16(2)14. So there must be something different in the new version.

0 Helpful

Aref Alsouqi
VIP
VIP

‎01-31-2023 10:45 AM

Can you please higher the "debug crypto ca" to 127 and see if it gives more details? also, could you please share your sanitized LDAPs aaa server profile configs for review?

0 Helpful

RANT
Level 1
Level 1
In response to Aref Alsouqi

‎02-01-2023 06:10 AM

CONFIG

aaa-server helpdesk-aaa (Inside) host 192.168.75.92
server-port 636
ldap-base-dn dc=XXXYYY, dc=com
ldap-group-base-dn cn=Users Distribution Group,dc=Centralized Telerad,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=asaadmin, cn=users, dc=XXXYYY, dc=com
ldap-over-ssl enable
server-type microsoft

DEBUG OUTPUT

SSL verify callback: Key exchange algorithm extracted from SSL Cipher
PKI[13]: CERT_Open, vpn3k_cert_api.c:197
PKI[8]: PKI session 0x03a3c8db open Successful with type AAA Server
PKI[13]: CERT_SetKeyExchangeAlg, vpn3k_cert_api.c:1193
PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:863
PKI[8]: Authenticate session 0x03a3c8db, non-blocking cb=0x0000563c8d6276b0
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2913
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2811
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2746
PKI[8]: process msg cmd=0, session=0x03a3c8db
PKI[9]: Async locked for session 0x03a3c8db
PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1133
PKI[7]: Begin cert chain validation for session 0x03a3c8db
PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:553
PKI[8]: Begin sorted cert chain
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[8]: ---------Certificate--------:
Serial Number:
6e:00:00:00:4d:2f:be:d7:cf:8b:d2:92:f2:00:00:00:00:00:4d
Issuer: DC=com, DC=XXXYYY, CN=XXXYYY
Subject: CN=DC1.XXXYYY.com

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
Serial Number:
6e:00:00:00:4d:2f:be:d7:cf:8b:d2:92:f2:00:00:00:00:00:4d
Issuer: DC=com, DC=XXXYYY, CN=Radiology Associates Internal
Subject: CN=DC1.XXXYYY.com

PKI[12]: pki_verify_cb, pki_ossl_validate.c:416
PKI[6]: val status=0: cert subject: /CN=DC1.XXXYYY.com. ctx->error: (66)EE certificate key too weak, cert_idx: 0
PKI[14]: is_crl_error, pki_ossl_validate.c:336
PKI[4]: chain validation failed due to weak crypto characteristics.
Use "crypto ca permit-weak-crypto" to override
PKI[4]: Certificate verification error: EE certificate key too weak
PKI[14]: map_ossl_error, pki_ossl_validate.c:62
PKI[4]: Unable to find trusted certificate chain
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164
PKI[13]: CERT_Close, vpn3k_cert_api.c:291
PKI[8]: Close session 0x03a3c8db asynchronously
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2913
PKI[9]: Async unlocked for session 0x03a3c8db
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2811
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2746
PKI[8]: process msg cmd=1, session=0x03a3c8db
PKI[9]: Async locked for session 0x03a3c8db
PKI[9]: Async unlocked for session 0x03a3c8db
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:251
PKI[9]: CERT API thread sleeps!

0 Helpful

Rob Ingram
VIP
VIP
In response to RANT

‎02-01-2023 06:33 AM - edited ‎02-01-2023 06:50 AM

@RANT from your output....

PKI[4]: chain validation failed due to weak crypto characteristics.
Use "crypto ca permit-weak-crypto" to override

enter that command above to see if it resolves the issue, then investigate the weak crypto issue.

As you are using a newer ASA version, older/weaker crypto has been depreciated, hence the recommendation to enable weaker crypto.

0 Helpful
Customers Also Viewed These Support Documents