Showing results for 
Search instead for 
Did you mean: 

FTD - FMC - AD -- Secure LDAP / LDAP Over SSL -- Discovered Identity


Hello Community, 

I'm a little bit out of my depth here in trying to troubleshoot a few issues around my configuration and wondering if anyone has some insight into this for me. 

I'm currently trying to set up remote access for vpn, I would like to utilize SAML integration with Cisco Duo - this part works swimmingly, following the guide, the only change I had to make was for Duo to return the username in order for the authorization from AD_Integration to work. 

I have the LDAP mapping working successfully, but one issue that I can't seem to conquer is that I am able to use LDAP over SSL directly from the FMC but not the FTD. I have confirmed that the same root ca certificate is installed on both, I confirmed that the FTD can resolve the host name of both domain controllers, when I switch to back to IP connect for the directory on the AD_Integration the FTD can perform the bind and the lookup, the group gets passed back and the appropriate LDAP map to cisco vpn group profile applies. My only thinking here is that because of the need of two CA's on the FTD, it is trying to use the Duo certificate when doing the LDAP over SSL - I am not sure how to associate the correct trustpoint here? 

Another issue I am running into, is that with this configuration the identities are showing up as Discovered Identity\username, not MYDOMAIN\Username - when I switch to only the AD integration, the passive identity works and the MYDOMAIN\username shows up in FMC dashboard for user statistics. 

I have turned the debug ldap 255, debug aaa common 255, and watched the authentication happen (this is how I discovered I needed cisco duo to pass the username back and not the email), this works. Cool, but why doesn't the FTD believe it's MYDOMAIN\Username when Duo saml is the authentication and AD is the authorization? 

I would like to keep my ACLs tight and utilize the user identity so that I am as secure as possible. Is this possible while utilizing duo as authentication and ad as authorization? 

Solution for my case: 

Discovered via my own replies here - the EE Key was too small, which refers to the RSA key, which in my case was 2048 for the CA root, but the Domain Controller's identity certs were only 1048 - my temporary work around was to enable the weak crypto, via GUI Devices - Certificates - Click the device in question - Click the LOCK to send the command
or via CLI just add the line 
crypto ca permit-weak-crypto

I gather that the FMC by default doesn't care about the weak key response.

1 Accepted Solution

Accepted Solutions

Needed to add to running-config