Cisco WSA LDAPS intégration issue

ezzaariyouness · ‎02-06-2024

Hello everyone,

I'm trying to configure ldaps authentication On Cisco WSA, but I'm getting the issue attach

can you help me solve this issue.

Konstantinos9 · ‎02-06-2024

Hello ezzaariyouness,

I can see you chose LDAPS, and it appears that the connections is failing due to a TLS handshake. ("Invalid/Expired" Certificate)

You may need to verify connectivity between your LDAP servers and the WSA and ensure that all certificates are valid for LDAPS.

Hope this helps.

Kind regards,

Konstantinos

ezzaariyouness · ‎02-06-2024

Thank You for your reply.

How can I check certificate for LDAPS ? I have the Root certificate from Ca Imported to WSA.

Is there any configuration related to the Certificate I have to do.

Ken Stieers · ‎02-06-2024

No, you shouldn't have to do any config on the DC except getting a cert on it.

1st check the domain controller. Login, start/run, enter certlm.msc

Under Personal/Certificates you should see a cert there. Typically (assuming youre using ADCS) it's issued to the machine name of the DC and once AD services sees a cert with the correct usages, it will pick it up and start serving LDAPS.

ezzaariyouness · ‎02-06-2024

The system administrator told me the certificate is already on the LDAP Server.

Ken Stieers · ‎02-06-2024

You can check the cert using openssl

This should show the certs and root its using:
openssl.exe s_client -showcerts -connect :636

There's also this article from Cisco:
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118761-technote-firesight-00.html

You should get a connection, if you don't, the system admin needs to do some work.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

ezzaariyouness · ‎02-08-2024

I try this command openssl s_client -showcerts -connect :636 on the wsa and here the output

I also attached the packet capture for the communication between the WSA and the LDAP.

fw_mon · ‎02-08-2024

the dest is missing in your command, try:

openssl s_client -showcerts -connect 10.147.32.52:636

ezzaariyouness · ‎02-08-2024

yes I tired and got this

fw_mon · ‎02-08-2024

this means connection timeout, a TCP session cannot be established. First check routing (also if you're using the right WSA interface (Mgmt/Data)) and then the firewall - if you see any block/drop and something in the log

ezzaariyouness · ‎02-08-2024

I'm able to ping the LDAP server and there is no FW in path, the WSA and the LDAP in the same subnet.

Attached the capture file for this communication.

fw_mon · ‎02-08-2024

the openssl command shows timeout, the tcpdump shows that the connection established. Do you have several interfaces?
Have you uploaded the CA cert of the LDAP machine on WSA?

ezzaariyouness · ‎02-08-2024

Yes, I have several interfaces as below :

As you can see, I can ping the LDAP server.

fw_mon · ‎02-08-2024

but the LDAP host 10.147.32.52 is not in the network 10.147.32.5/27 (10.147.32.1-10.147.32.30)

try other interfaces or capture the traffic during you do openssl command or/and UI test, then check with Wireshark

Ken Stieers · ‎02-08-2024

You can also just download openssl for whichever OS you're running and check your DC from there.

Here's where you can find the latest builds: https://wiki.openssl.org/index.php/Binaries