Cisco ASA: Configuring LDAP over SSL

The Cisco ASA documentation for configuring LDAP over SSL authentication for VPN clients is limited in scope and extremely Microsoft-specific. If you’re running an OpenLDAP server or experiencing non-network related connectivity issues, there aren’t a lot of resources available to help.

Here’s a description of the connectivity problems we experienced in our data center and the steps we took to resolve them.

Background

We’re running OpenLDAP 2.4.21 with OpenSSL 0.9.8 on Ubuntu 10.04.4 as our centralized authentication server. Naturally we wanted to use it to authenticate VPN users on our Cisco ASA 5520 v8.2 rather than maintaining a local user database.

Although non-SSL LDAP authentication worked fine 100% of the time, we were seeing a 85-90% failure/timeout rate for LDAP over SSL connections. This would then cause the ASA to continuously retry a server, exhaust the number of allowed failures, change the state from ACTIVE to FAILED, and then repeat the process for the next configured LDAP server in the group. Eventually it would get a success and the user would be authenticated:

Output from syslog:

 Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.5 : user = testuser
Dec 21 07:26:45 VPN : %ASA-2-113022: AAA Marking LDAP server 10.0.1.5 in aaa-server group LDAP as FAILED
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.33 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.33 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.33 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.33 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.33 : user = testuser
Dec 21 07:26:46 VPN : %ASA-2-113022: AAA Marking LDAP server 10.0.1.33 in aaa-server group LDAP as FAILED
Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.32 in aaa-server group LDAP as ACTIVE
Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.5 in aaa-server group LDAP as ACTIVE
Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.33 in aaa-server group LDAP as ACTIVE
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.32 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.32 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server =  10.0.1.32 : user = testuser
Dec 21 07:26:46 VPN : %ASA-6-113004: AAA user authentication Successful : server =  10.0.1.32 : user = testuser

Output from “debug ldap 255” showing a failure:

 VPN#
[1042] Session Start
[1042] New request Session, context 0xcca50ed8, reqType = Authentication
[1042] Fiber started
[1042] Creating LDAP context with uri=ldaps://10.5.101.7:636
[1042] Connect to LDAP server: ldaps://10.5.101.7:636, status = Failed
[1042] Unable to read rootDSE. Can't contact LDAP server.
[1042] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[1042] Session End

Output from “debug ldap 255” showing a success:

 INFO: Attempting Authentication test to IP address <10.0.1.32> (timeout: 12 seconds)
[1345] Session Start
[1345] New request Session, context 0xcca50ed8, reqType = Authentication
[1345] Fiber started
[1345] Creating LDAP context with uri=ldaps://10.0.1.32:636
[1345] Connect to LDAP server: ldaps://10.0.1.32:636, status = Successful
[1345] supportedLDAPVersion: value = 3
[1345] No Login DN configured for server 10.0.1.32
[1345] No Login password configured for server 10.0.1.32
[1345] Binding as
[1345] Performing Simple authentication for  to 10.0.1.32
[1345] LDAP Search:
Base DN = [dc=domain,dc=com]domain
Filter  = [uid=testuser]
Scope   = [SUBTREE]
[1345] User DN = [uid=testuser,ou=people,dc=domain,dc=com]
[1345] Server type for 10.0.1.32 unknown - no password policy
[1345] Binding as testuser
[1345] Performing Simple authentication for testuser to 10.0.1.32
[1345] Processing LDAP response for user testuser
[1345] Authentication successful for testuser to 10.0.1.32
[1345] Retrieved User Attributes:
[1345]     objectClass: value = inetLocalMailRecipient
[1345]     objectClass: value = shadowAccount
[1345]     objectClass: value = posixAccount
[1345]     objectClass: value = inetOrgPerson
[1345]     objectClass: value = organizationalPerson
[1345]     objectClass: value = person
[1345]     shadowWarning: value = 10
[1345]     shadowInactive: value = 0
[1345]     shadowMin: value = 0
[1345]     shadowMax: value = 99999
[1345]     homeDirectory: value = /home/testuser
[1345]     loginShell: value = /bin/bash
[1345]     uid: value = testuser
[1345]     cn: value = Test testuser
[1345]     gecos: value = Test testuser
[1345]     uidNumber: value = 590
[1345]     gidNumber: value = 590
[1345]     sn: value = testuser
[1345]     givenName: value = Test
[1345]     mail: value = testuser@domain.com
[1345]     employeeType: value = Employee
[1345]     shadowLastChange: value = 15649
[1345]     mailLocalAddress: value = testuser@domain.com
[1345] Fiber exit Tx=273 bytes Rx=179202 bytes, status=1
[1345] Session End
INFO: Authentication Successful

Resolution

Here are the steps we took to clean up the configuration and resolve the issue:

Proper AAA Server Configuration

  1. Ensure the Hostname or IP Address matches the SSL certificate used by your LDAP Server
  2. Select the proper “Server Type” from the drop down menu in order to support password management
  3. Look at the tree structure of your LDAP database and verify that your Base DN and Scope are configured correctly.
  4. Define your Login DN using the proper Attribute Name such as “cn=admin,dc=domain,dc=com”

LDAP AAA Servr Configuration

Install Necessary 3rd Party Vendor Certificates

If the internal network behind your ASA is using a different domain than your external network, be sure that you have the proper CA Certificates installed. They need to be in PKC12 format. If they’re not, you’ll need to convert them.

To do this via the Linux CLI use the openssl command. Here’s the command I used:

openssl pkcs12 -export -out wildcard.domain.com.pfx -inkey domain.com_wildcard.key -in domain.com.crt -certfile gd_bundle.crt

Screen shot of CA certificates from the ASDM:

LDAP_CA_Certs

Configure SSL Parameters

  1. The ASA allows you to independently configure the SSL version used for client and server negotiations. In this case we are connecting as a client, so set to a value that works with your LDAP server.
  2. Only activate the encryption algorithms needed by your appliance and verify that they are also supported on your LDAP server.

By default, all Cisco ASA 5500 Series appliances support 56-bit DES, 56-bit RC4, 512-bit RSA, and 512-bit Digital Signature Algorithm (DSA) encryption algorithms included in the base encryption license. If there are multiple Active Algorithms configured on your ASA it will cycle through them each time it makes a connection to your LDAP server resulting in intermittent connectivity issues when an unsupported algorithm is used.

Screenshot of SSL Settings from the ASDM:

Cisco ASA SSL Settings

Verification

Use the following show commands to verify your configuration.

VPN/act#  show crypto ssl
 Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
 Start connections using TLSv1 and negotiate to TLSv1
 Enabled cipher order: rc4-sha1 3des-sha1
 Disabled ciphers: des-sha1 rc4-md5 aes128-sha1 aes256-sha1 null-sha1
 SSL trust-points:
 Default: ASDM_TrustPoint5
 outside interface: ASDM_TrustPoint5
 inside interface: ASDM_TrustPoint5
 Certificate authentication is not enabled

VPN/act# show crypto ca trustpoints
 Trustpoint ASDM_TrustPoint5:
 Subject Name:
 serialNumber=
 cn=Go Daddy Secure Certification Authority
 ou=http://certificates.godaddy.com/repository
 o=GoDaddy.com\, Inc.
 l=Scottsdale
 st=Arizona
 c=US
 Serial Number:
 Certificate configured.
 Trustpoint ASDM_TrustPoint5-1:
 Subject Name:
 ou=Go Daddy Class 2 Certification Authority
 o=The Go Daddy Group\, Inc.
 c=US
 Serial Number:
 Certificate configured.
 Trustpoint ASDM_TrustPoint5-2:
 Subject Name:
 ea=info@valicert.com
 cn=http://www.valicert.com/
 ou=ValiCert Class 2 Policy Validation Authority
 o=ValiCert\, Inc.
 l=ValiCert Validation Network
 Serial Number: 01
 Certificate configured.
 Trustpoint ASDM_TrustPoint1:
 Subject Name:
 ea=admin@domain.com
 cn=Domain CA
 ou=Operations
 o=Domain
 l=San Francisco
 st=California
 c=US
 Serial Number:
 Certificate configured.

VPN/act# show aaa-server
 Server Group:     LDAP
 Server Protocol: ldap
 Server Hostname: ldap.domain.com
 Server Address:     10.0.1.32
 Server port:     636
 Server status:     ACTIVE, Last transaction at unknown
 Number of pending requests        0
 Average round trip time            0ms
 Number of authentication requests    146
 Number of authorization requests    0
 Number of accounting requests        0
 Number of retransmissions        0
 Number of accepts            133
 Number of rejects            13
 Number of challenges            0
 Number of malformed responses        0
 Number of bad authenticators        0
 Number of timeouts            0
 Number of unrecognized responses    0 

Finally, here are portions of my running configuration for reference:

VPN/act# show run aaa-server
 aaa-server LDAP protocol ldap
 reactivation-mode depletion deadtime 1
 aaa-server LDAP (inside) host ldap.domain.com
 server-port 636
 ldap-base-dn dc=domain,dc=com
 ldap-scope subtree
 ldap-naming-attribute uid
 ldap-login-password *****
 ldap-login-dn cn=admin,dc=domain,dc=com
 ldap-over-ssl enable
 server-type openldap

VPN/act# show run ssl
 ssl client-version tlsv1-only
 ssl encryption rc4-sha1 3des-sha1
 ssl trust-point ASDM_TrustPoint5
 ssl trust-point ASDM_TrustPoint5 outside
 ssl trust-point ASDM_TrustPoint5 inside

VPN/act# show run crypto
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
 crypto ipsec security-association lifetime seconds 28800
 crypto ipsec security-association lifetime kilobytes 4608000
 crypto ca trustpoint ASDM_TrustPoint5
 keypair ASDM_TrustPoint5
 crl configure
 crypto ca trustpoint ASDM_TrustPoint5-1
 crl configure
 crypto ca trustpoint ASDM_TrustPoint5-2
 crl configure 

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s