Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2122
Views
12
Helpful
19
Replies

Cisco WSA LDAPS intégration issue

Go to solution
ezzaariyouness
Level 1
Level 1

‎02-06-2024 03:27 AM - edited ‎02-09-2024 12:38 PM

Hello everyone,

I'm trying to configure ldaps authentication On Cisco WSA, but I'm getting the issue attach

can you help me solve this issue. 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ezzaariyouness
Level 1
Level 1

‎07-18-2024 01:05 AM

Hello,

this issue was related to this bug :  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj13235  

the workaround was to create a static route in Management for accessing AD and pointing to Data's Gateway .

Finally, I was able to integrate the WSA with LDAP Servers .

 

View solution in original post

19 Replies 19

Go to solution
Konstantinos9
Cisco Employee
Cisco Employee

‎02-06-2024 05:51 AM

Hello ezzaariyouness,

I can see you chose LDAPS, and it appears that the connections is failing due to a TLS handshake. ("Invalid/Expired" Certificate)

You may need to verify connectivity between your LDAP servers and the WSA and ensure that all certificates are valid for LDAPS.

Hope this helps.

Kind regards,

Konstantinos

 

 

 

 

 

 

 

 

 

 

 

 

 

Go to solution
ezzaariyouness
Level 1
Level 1
In response to Konstantinos9

‎02-06-2024 06:00 AM

Thank You for your reply. 

How can I check certificate for LDAPS ? I have the Root certificate from Ca Imported to WSA.

Is there any configuration related to the Certificate I have to do.

Go to solution
Ken Stieers
VIP
VIP
In response to ezzaariyouness

‎02-06-2024 06:18 AM

No, you shouldn't have to do any config on the DC except getting a cert on it.

1st check the domain controller. Login, start/run, enter certlm.msc

Under Personal/Certificates you should see a cert there. Typically (assuming youre using ADCS) it's issued to the machine name of the DC and once AD services sees a cert with the correct usages, it will pick it up and start serving LDAPS.



Go to solution
ezzaariyouness
Level 1
Level 1
In response to Ken Stieers

‎02-06-2024 06:25 AM

The system administrator told me the certificate is already on the LDAP Server.

Go to solution
Ken Stieers
VIP
VIP
In response to ezzaariyouness

‎02-06-2024 06:58 AM

You can check the cert using openssl

This should show the certs and root its using:
openssl.exe s_client -showcerts -connect :636

There's also this article from Cisco:
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118761-technote-firesight-00.html

You should get a connection, if you don't, the system admin needs to do some work.





________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Go to solution
ezzaariyouness
Level 1
Level 1
In response to Ken Stieers

‎02-08-2024 03:17 AM - edited ‎02-09-2024 12:38 PM

I try this command openssl s_client -showcerts -connect :636 on the wsa and here the output 

 

I also attached the packet capture for the communication between the WSA and the LDAP.

Go to solution
fw_mon
Level 1
Level 1
In response to ezzaariyouness

‎02-08-2024 04:07 AM

the dest is missing in your command, try:

openssl s_client -showcerts -connect 10.147.32.52:636

Go to solution
ezzaariyouness
Level 1
Level 1
In response to fw_mon

‎02-08-2024 05:21 AM - edited ‎02-09-2024 12:37 PM

yes I tired and got this 

 

0 Helpful

Go to solution
fw_mon
Level 1
Level 1
In response to ezzaariyouness

‎02-08-2024 06:02 AM

this means connection timeout, a TCP session cannot be established. First check routing (also if you're using the right WSA interface (Mgmt/Data)) and then the firewall - if you see any block/drop and something in the log

Go to solution
ezzaariyouness
Level 1
Level 1
In response to fw_mon

‎02-08-2024 06:09 AM - edited ‎02-09-2024 12:38 PM

I'm able to ping the LDAP server and there is no FW in path, the WSA and the LDAP in the same subnet.

Attached the capture file for this communication.

Go to solution
fw_mon
Level 1
Level 1
In response to ezzaariyouness

‎02-08-2024 07:15 AM

the openssl command shows timeout, the tcpdump shows that the connection established. Do you have several interfaces?
Have you uploaded the CA cert of the LDAP machine on WSA?

Go to solution
ezzaariyouness
Level 1
Level 1
In response to fw_mon

‎02-08-2024 08:30 AM - edited ‎02-09-2024 12:38 PM

Yes, I have several interfaces as below : 

As you can see, I can ping the LDAP server.

0 Helpful

Go to solution
fw_mon
Level 1
Level 1
In response to ezzaariyouness

‎02-08-2024 08:55 AM

but the LDAP host 10.147.32.52 is not in the network 10.147.32.5/27 (10.147.32.1-10.147.32.30)

try other interfaces or capture the traffic during you do openssl command or/and UI test, then check with Wireshark 

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to ezzaariyouness

‎02-08-2024 06:37 AM

You can also just download openssl for whichever OS you're running and check your DC from there. 

Here's where you can find the latest builds: https://wiki.openssl.org/index.php/Binaries

 

0 Helpful
Customers Also Viewed These Support Documents