Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1930
Views
0
Helpful
4
Replies

ASA 9.1(1), AAA LDAP Authentication & IPv6

andrew.butterworth
Level 7
Level 7

‎12-22-2012 10:44 AM - edited ‎03-12-2019 05:41 PM

I have a working ASA 5505 that is used for remote access.  It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP.  This is all working fine however recently I enabled IPv6 to do some testing.  I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks.  DNS client is enabled in the ASA and all the authentication servers are entered as hostnames.  The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records.  My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).

When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working.  I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers.  From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses.  When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:

Server Group:    LDAP

Server Protocol: ldap

Server Hostname: AD-Server1.domain.local

Server Address:  0.0.0.0

Server port:     0

Server status:   FAILED, Server disabled at 18:11:38 GMT/BST Sat Dec 22 2012

Number of pending requests              0

Average round trip time                 0ms

Number of authentication requests       0

Number of authorization requests        0

Number of accounting requests           0

Number of retransmissions               0

Number of accepts                       0

Number of rejects                       0

Number of challenges                    0

Number of malformed responses           0

Number of bad authenticators            0

Number of timeouts                      0

Number of unrecognized responses        0

Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly.  I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6.  Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this.  I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.

I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6?  Just guessing at the moment as I haven't managed to get a LAN capture.

I think this is a bug.

Andy

1 person had this problem
Labels:
0 Helpful
4 Replies 4

andrew.butterworth
Level 7
Level 7

‎06-04-2013 03:55 AM

The latest release of ASA - 9.1(2) - also exhibits this problem.  Its obviously a bug.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to andrew.butterworth

‎01-25-2017 09:29 AM

I lived with this issue and workaround for ages.  Not a production ASA so no big deal.  However the issue cropped up again for a project I was working on and after a bit more debugging on the Windows side I realised the ASA was configured for the wrong LDAP login dn.  It was configured with the Windows sAMAccountName and not the Canonical name of the object in LDAP - these are different.  The sAMAccountName of the account is 'LDAPQuery' whereas the canonical name was 'LDAP Querier' (CN=LDAP Querier,OU=User Accounts,OU=Service Accounts,DC=domain,DC=local).

The IPv6 name lookup still occurs so if the server is added with a DNS name it still doesn't work if there is an IPv6 path to the host, however adding it with its IPv4 address works.  I have no idea why it didn't work previously with the IPv4 address instead of the DNS name.  I guess there is some kind of logic here but I can't see it.  However problem fixed

Andy

0 Helpful

Jason Roysdon
Level 1
Level 1

‎11-04-2014 08:35 AM

I also have the problem on 8.2.(5) code.  ASA supports IPv6, but obviously it has problems with the LDAP portion with older code.  It looks like IPv6 support was added in 9.2 code.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-ldap.html

As a work-around, we just added the IPv4 IP addresses instead of the hostnames.

 

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Jason Roysdon

‎01-25-2017 10:41 AM

This is a weird one...  If I add the server with its IPv4 address it doesn't work - authentication simply fails.  Issuing the command 'test aaa-server LDAP host x.x.x.x username test password password' just results in the error 'ERROR: Authentication Server not responding: AAA Server has been removed'

If I add the aaa-server with its hostname and IPv6 is working then try testing it i get the error 'ERROR: Failed to resolve server name w2k8-dc.domain.local'.  I can however ping the hostname and it resolves to its IPv6 address (AAAA lookup).

If I disable IPv6 - i.e. remove the IPv6 addresses from all the interfaces, then clear the DNS cache it then starts to work - i.e. the ASA resolves the hostnames with A records and adds them to the list and I can see the IPv4 addresses in the output to 'show aaa-server protocol ldap'.

I am running 9.2(4)17.

0 Helpful
Customers Also Viewed These Support Documents