Posts Tagged SSL

Cisco ASA and Windows Server 2008: Welcome Back LDAP

You may or may not have problems doing Windows style authentication to your Server 2008 for your AAA access on your ASA firewall.

I have seen it work and not work, I suspect that the forest/domains were probably at different levels, I have heard that Server 2008 doesn’t support NTLM version 1.

If your doesn’t or you want to use LDAP, read on.  One reason you may want to use LDAP is you can stack attributes using Dynamic Policies,

The first problem I will encounter at a customer site is getting the ASA to talk to the domain controller as part of the LDAP AAA group setup. Usually it’s an OU issue, to find the exact string run the dsquery command on the Domain Controller (DC):

dsquery user -samid ciscoldap
"CN=ciscoldap,OU=Service Accounts,OU=HQ,DC=somedomain,DC=com"

In the case above there was an additional OU of HQ.  Now when clicking on the Test button on AAA group setup it successfully communicates.

Be aware that a failure of credentials for LDAP will give the same error as if there is a connectivity issue or the Windows firewall is blocking the port.

Now the cool thing IMHO is you can browse the various Windows attributes from with in the ASA.  I use this to “stack” attributes, instead of just controlling whether someone can log in if the RemoteDialIn I can also authorize them based on membership in a second group or select a group policy depending on which AD attributes match.

To View the various AD groups that can be used as a selection criteria go to:

Remote Access VPN>Clientless SSL>Dynamic Access Polocies

On the left select Add,  then LDAP for AAA Attribute type.  Now click on “Get AD Groups” and you can change filters, policies, etc all based on AD group membership.

Ideal for keeping vendors limited to work hours and a single network asset.


, , , ,

No Comments

GoDaddy SSL Certs and PalmOS

Just re-upped my cert for my exchange server to talk to my Treo 750.  I bought a 750 because the 650 broke,  Sprint said that the 750 would just replace my 650 and nothing else would change.

Well many bills later and many calls to their billing department we got the bill down to within $14 a month of what it used to be, they claimed that they didn’t offer a month to month unlimited data plan in spite of the fact that that’s what had been on my 650.  They also kept putting some form of picture sharing charge or some such thing.

But the most noticeable thing was that Veramail no longer worked with self signed SSL certs on my Exchange server.  I did everything suggested which was loading an executable to modify some registry type setting on the palm to no avail, including opening the non-SSL port which was the whole point of a cert (required for the first part of the handshake when using self-signed certs).

So I bought a GoDaddy Cert.  Problem solved for a year

This year however I found out that the new GoDaddy Class 2 certs don’t work with PalmOS.  They don’t.  Google for the reason why, I am just trying to save time.

GoDaddy SSL Certs dont work with Palm OS


, , , , , , ,

No Comments