Secure LDAP Authentication for Active Directory Authentication - Remote Access VPN

latenaite2011 · ‎07-02-2018

Does anyone know the correct syntax for enabling ldap-over-ssl for Active Directory (AD) authentication for remote access VPN on Cisco ASA?

I tried below and it didn't work:

aaa-server LDAP (inside) host x.x.x.x

ldap-over-ssl enable

server-port 636

Rob Ingram · ‎07-03-2018

Hi,

Those commands you have are a start, this link might be of some help with the other commands. You will need to ensure that the ASA has a trustpoint defined with the Root Certificate used by the AD domain controller to ensure trust.

HTH

latenaite2011 · ‎07-10-2018

Hi RJI,

Thank you for your post.

When it says this,

Install Necessary 3rd Party Vendor Certificates

If the internal network behind your ASA is using a different domain than your external network, be sure that you have the proper CA Certificates installed.

When it mean by using different domain than external? It is just for one customer's domain that we have.

And what do you mean by this:

Root Certificate used by the AD domain controller to ensure trust.

Is that the step required as mentioned above under the section " Install Necessary 3rd Party Vendor Certificates"?

Thank you!

Rob Ingram · ‎07-14-2018

On the external network of the ASA most people use a certificate signed by a public CA (GoDaddy, Comodo etc). This would be the certificate used for the SSL-VPN either clientless of AnyConnect client.

You want to configure LDAPS between the ASA and AD, then typically you would use your internal CA (not a certificate signed by an external CA (GoDaddy). In which case the ASA would need a trustpoint created to ensure that it had the internal CA root certificate, this internal CA would be the same CA that issued the certificate used by the AD Domain Controller, therefore establishing trust between the ASA and AD.