The Cisco ASA documentation for configuring LDAP over SSL authentication for VPN clients is limited in scope and extremely Microsoft-specific. If you’re running an OpenLDAP server or experiencing non-network related connectivity issues, there aren’t a lot of resources available to help.
Here’s a description of the connectivity problems we experienced in our data center and the steps we took to resolve them.
Background
We’re running OpenLDAP 2.4.21 with OpenSSL 0.9.8 on Ubuntu 10.04.4 as our centralized authentication server. Naturally we wanted to use it to authenticate VPN users on our Cisco ASA 5520 v8.2 rather than maintaining a local user database.
Although non-SSL LDAP authentication worked fine 100% of the time, we were seeing a 85-90% failure/timeout rate for LDAP over SSL connections. This would then cause the ASA to continuously retry a server, exhaust the number of allowed failures, change the state from ACTIVE to FAILED, and then repeat the process for the next configured LDAP server in the group. Eventually it would get a success and the user would be authenticated:
Output from syslog:
Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.5 : user = testuser Dec 21 07:26:45 VPN : %ASA-2-113022: AAA Marking LDAP server 10.0.1.5 in aaa-server group LDAP as FAILED Dec 21 07:26:45 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.33 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.33 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.33 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.33 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.33 : user = testuser Dec 21 07:26:46 VPN : %ASA-2-113022: AAA Marking LDAP server 10.0.1.33 in aaa-server group LDAP as FAILED Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.32 in aaa-server group LDAP as ACTIVE Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.5 in aaa-server group LDAP as ACTIVE Dec 21 07:26:46 VPN : %ASA-2-113023: AAA Marking LDAP server 10.0.1.33 in aaa-server group LDAP as ACTIVE Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.32 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.32 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113014: AAA authentication server not accessible : server = 10.0.1.32 : user = testuser Dec 21 07:26:46 VPN : %ASA-6-113004: AAA user authentication Successful : server = 10.0.1.32 : user = testuser
Output from “debug ldap 255” showing a failure:
VPN# [1042] Session Start [1042] New request Session, context 0xcca50ed8, reqType = Authentication [1042] Fiber started [1042] Creating LDAP context with uri=ldaps://10.5.101.7:636 [1042] Connect to LDAP server: ldaps://10.5.101.7:636, status = Failed [1042] Unable to read rootDSE. Can't contact LDAP server. [1042] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [1042] Session End
Output from “debug ldap 255” showing a success:
INFO: Attempting Authentication test to IP address <10.0.1.32> (timeout: 12 seconds) [1345] Session Start [1345] New request Session, context 0xcca50ed8, reqType = Authentication [1345] Fiber started [1345] Creating LDAP context with uri=ldaps://10.0.1.32:636 [1345] Connect to LDAP server: ldaps://10.0.1.32:636, status = Successful [1345] supportedLDAPVersion: value = 3 [1345] No Login DN configured for server 10.0.1.32 [1345] No Login password configured for server 10.0.1.32 [1345] Binding as [1345] Performing Simple authentication for to 10.0.1.32 [1345] LDAP Search: Base DN = [dc=domain,dc=com]domain Filter = [uid=testuser] Scope = [SUBTREE] [1345] User DN = [uid=testuser,ou=people,dc=domain,dc=com] [1345] Server type for 10.0.1.32 unknown - no password policy [1345] Binding as testuser [1345] Performing Simple authentication for testuser to 10.0.1.32 [1345] Processing LDAP response for user testuser [1345] Authentication successful for testuser to 10.0.1.32 [1345] Retrieved User Attributes: [1345] objectClass: value = inetLocalMailRecipient [1345] objectClass: value = shadowAccount [1345] objectClass: value = posixAccount [1345] objectClass: value = inetOrgPerson [1345] objectClass: value = organizationalPerson [1345] objectClass: value = person [1345] shadowWarning: value = 10 [1345] shadowInactive: value = 0 [1345] shadowMin: value = 0 [1345] shadowMax: value = 99999 [1345] homeDirectory: value = /home/testuser [1345] loginShell: value = /bin/bash [1345] uid: value = testuser [1345] cn: value = Test testuser [1345] gecos: value = Test testuser [1345] uidNumber: value = 590 [1345] gidNumber: value = 590 [1345] sn: value = testuser [1345] givenName: value = Test [1345] mail: value = testuser@domain.com [1345] employeeType: value = Employee [1345] shadowLastChange: value = 15649 [1345] mailLocalAddress: value = testuser@domain.com [1345] Fiber exit Tx=273 bytes Rx=179202 bytes, status=1 [1345] Session End INFO: Authentication Successful
Resolution
Here are the steps we took to clean up the configuration and resolve the issue:
Proper AAA Server Configuration
- Ensure the Hostname or IP Address matches the SSL certificate used by your LDAP Server
- Select the proper “Server Type” from the drop down menu in order to support password management
- Look at the tree structure of your LDAP database and verify that your Base DN and Scope are configured correctly.
- Define your Login DN using the proper Attribute Name such as “cn=admin,dc=domain,dc=com”
Install Necessary 3rd Party Vendor Certificates
If the internal network behind your ASA is using a different domain than your external network, be sure that you have the proper CA Certificates installed. They need to be in PKC12 format. If they’re not, you’ll need to convert them.
To do this via the Linux CLI use the openssl command. Here’s the command I used:
openssl pkcs12 -export -out wildcard.domain.com.pfx -inkey domain.com_wildcard.key -in domain.com.crt -certfile gd_bundle.crt
Screen shot of CA certificates from the ASDM:
Configure SSL Parameters
- The ASA allows you to independently configure the SSL version used for client and server negotiations. In this case we are connecting as a client, so set to a value that works with your LDAP server.
- Only activate the encryption algorithms needed by your appliance and verify that they are also supported on your LDAP server.
By default, all Cisco ASA 5500 Series appliances support 56-bit DES, 56-bit RC4, 512-bit RSA, and 512-bit Digital Signature Algorithm (DSA) encryption algorithms included in the base encryption license. If there are multiple Active Algorithms configured on your ASA it will cycle through them each time it makes a connection to your LDAP server resulting in intermittent connectivity issues when an unsupported algorithm is used.
Screenshot of SSL Settings from the ASDM:
Verification
Use the following show commands to verify your configuration.
VPN/act# show crypto ssl Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1 Start connections using TLSv1 and negotiate to TLSv1 Enabled cipher order: rc4-sha1 3des-sha1 Disabled ciphers: des-sha1 rc4-md5 aes128-sha1 aes256-sha1 null-sha1 SSL trust-points: Default: ASDM_TrustPoint5 outside interface: ASDM_TrustPoint5 inside interface: ASDM_TrustPoint5 Certificate authentication is not enabled VPN/act# show crypto ca trustpoints Trustpoint ASDM_TrustPoint5: Subject Name: serialNumber= cn=Go Daddy Secure Certification Authority ou=http://certificates.godaddy.com/repository o=GoDaddy.com\, Inc. l=Scottsdale st=Arizona c=US Serial Number: Certificate configured. Trustpoint ASDM_TrustPoint5-1: Subject Name: ou=Go Daddy Class 2 Certification Authority o=The Go Daddy Group\, Inc. c=US Serial Number: Certificate configured. Trustpoint ASDM_TrustPoint5-2: Subject Name: ea=info@valicert.com cn=http://www.valicert.com/ ou=ValiCert Class 2 Policy Validation Authority o=ValiCert\, Inc. l=ValiCert Validation Network Serial Number: 01 Certificate configured. Trustpoint ASDM_TrustPoint1: Subject Name: ea=admin@domain.com cn=Domain CA ou=Operations o=Domain l=San Francisco st=California c=US Serial Number: Certificate configured. VPN/act# show aaa-server Server Group: LDAP Server Protocol: ldap Server Hostname: ldap.domain.com Server Address: 10.0.1.32 Server port: 636 Server status: ACTIVE, Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 146 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 133 Number of rejects 13 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 0 Number of unrecognized responses 0
Finally, here are portions of my running configuration for reference:
VPN/act# show run aaa-server aaa-server LDAP protocol ldap reactivation-mode depletion deadtime 1 aaa-server LDAP (inside) host ldap.domain.com server-port 636 ldap-base-dn dc=domain,dc=com ldap-scope subtree ldap-naming-attribute uid ldap-login-password ***** ldap-login-dn cn=admin,dc=domain,dc=com ldap-over-ssl enable server-type openldap VPN/act# show run ssl ssl client-version tlsv1-only ssl encryption rc4-sha1 3des-sha1 ssl trust-point ASDM_TrustPoint5 ssl trust-point ASDM_TrustPoint5 outside ssl trust-point ASDM_TrustPoint5 inside VPN/act# show run crypto crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ca trustpoint ASDM_TrustPoint5 keypair ASDM_TrustPoint5 crl configure crypto ca trustpoint ASDM_TrustPoint5-1 crl configure crypto ca trustpoint ASDM_TrustPoint5-2 crl configure
You saved us, we had the exact same problem, and locking down all the ciphers took care of the problem. Thank you!
Great explanation. Well done