cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2124
Views
12
Helpful
19
Replies

Cisco WSA LDAPS intégration issue

ezzaariyouness
Level 1
Level 1

Hello everyone,

I'm trying to configure ldaps authentication On Cisco WSA, but I'm getting the issue attach

can you help me solve this issue. 

1 Accepted Solution

Accepted Solutions

ezzaariyouness
Level 1
Level 1

Hello,

this issue was related to this bug :  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj13235  

the workaround was to create a static route in Management for accessing AD and pointing to Data's Gateway .

Finally, I was able to integrate the WSA with LDAP Servers .

 

View solution in original post

19 Replies 19

Konstantinos9
Cisco Employee
Cisco Employee

Hello ezzaariyouness,

I can see you chose LDAPS, and it appears that the connections is failing due to a TLS handshake. ("Invalid/Expired" Certificate)

You may need to verify connectivity between your LDAP servers and the WSA and ensure that all certificates are valid for LDAPS.

Hope this helps.

Kind regards,

Konstantinos

 

 

 

 

 

 

 

 

 

 

 

 

 

Thank You for your reply. 

How can I check certificate for LDAPS ? I have the Root certificate from Ca Imported to WSA.

Is there any configuration related to the Certificate I have to do.

No, you shouldn't have to do any config on the DC except getting a cert on it.

1st check the domain controller. Login, start/run, enter certlm.msc

Under Personal/Certificates you should see a cert there. Typically (assuming youre using ADCS) it's issued to the machine name of the DC and once AD services sees a cert with the correct usages, it will pick it up and start serving LDAPS.



The system administrator told me the certificate is already on the LDAP Server.

You can check the cert using openssl

This should show the certs and root its using:
openssl.exe s_client -showcerts -connect :636

There's also this article from Cisco:
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118761-technote-firesight-00.html

You should get a connection, if you don't, the system admin needs to do some work.





________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

I try this command openssl s_client -showcerts -connect :636 on the wsa and here the output 

 

I also attached the packet capture for the communication between the WSA and the LDAP.

the dest is missing in your command, try:

openssl s_client -showcerts -connect 10.147.32.52:636

yes I tired and got this 

 

this means connection timeout, a TCP session cannot be established. First check routing (also if you're using the right WSA interface (Mgmt/Data)) and then the firewall - if you see any block/drop and something in the log

I'm able to ping the LDAP server and there is no FW in path, the WSA and the LDAP in the same subnet.

Attached the capture file for this communication.

the openssl command shows timeout, the tcpdump shows that the connection established. Do you have several interfaces?
Have you uploaded the CA cert of the LDAP machine on WSA?

Yes, I have several interfaces as below : 

As you can see, I can ping the LDAP server.

but the LDAP host 10.147.32.52 is not in the network 10.147.32.5/27 (10.147.32.1-10.147.32.30)

try other interfaces or capture the traffic during you do openssl command or/and UI test, then check with Wireshark 

 

You can also just download openssl for whichever OS you're running and check your DC from there. 

Here's where you can find the latest builds: https://wiki.openssl.org/index.php/Binaries