Not understanding Cisco AAA with ldap_server_auto for auth proxy


#1

Hello,

I’m new to Duo and secondary authentication.

I’d like to use LDAP via the authentication proxy to authenticate users to my Cisco ASA.

I already have an LDAP application set up in Duo for Cisco SSL VPN, and I’m unsure if I can repurpose this application for use with the authentication proxy.

Here is the the config with ikey and skey removed:

[ad_client]
host=DC1.contoso.corp
host_2=DC2.eminence.corp
service_account_username=ldapperdan
service_account_password_protected=[something]
search_dn=DC=contoso,DC=corp
security_group_dn=CN=VPN Duo Users,OU=Groups,DC=contoso,DC=corp
transport=ldaps
ssl_ca_certs_file=contoso_ca_base64.cer
ssl_verify_hostname=true
auth_type=ntlm2


[ldap_server_auto]
ikey=[integration key from Cisco SSL VPN app]
skey_protected=[protected secret key from Cisco SSL VPN app]
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
client=ad_client
factors=push,passcode
failmode=safe
port=6389
interface=0.0.0.0

The authentication proxy accepts connections on that port, but I am unsure how to bind and what credentials to bind with. If I try the service_account_username I receive a failure. Note that this user can bind successfully to my the global catalog servers’ LDAP.

Assistance is appreciated.

Thanks,

Matt


#2

Hi Matt,

It sounds like you may be mixing up the documentation for our Cisco primary and alternate configuration processes.

The two configurations have a variety of differences, so I would recommend referencing this knowledge base article to understand your options before moving forward with configuration: https://help.duo.com/s/article/2295.

If you’re going to use the alternate configuration with the Authentication Proxy, you will need to create a Cisco RADIUS VPN application in the Duo Admin Panel per the alternate configuration process here: https://duo.com/docs/cisco-alt.

The primary instructions, which do not use the proxy, can be found here: https://duo.com/docs/cisco.

Hopefully that helps! If you encounter issues while following the docs from scratch, I’d recommend reaching out to our Support Team so they can perform some in-depth troubleshooting. You can reach them via email at support@duo.com.


#3

These options appear to be focused on SSL VPN/AnyConnect.

Truly, I am trying to not use RADIUS, but instead use LDAP for secondary authentication for IPsec clients on the ASA. Is this possible?

Thanks,

Matt
​​​​​


#4

Hi Matt,

It is possible to utilize the [ldap_server_auto] section with a Cisco ASA IPsec VPN. We host documentation for the Cisco IPsec that can be found below, to assist with the Cisco ASA side of the setup:

In regards to the example Duo Authentication Proxy configuration the above documentation shows, you can replace the [radius_server_auto] section with the [ldap_server_auto] as you see fit. You can even utilize most if not all of the config from your first post if you’d like. You may need to to alter the above configuration but that should put you on the right track for a working configuration in the end.

If you run in to issues with the setup, our Support team is always ready to help if you have your Duo Authentication Proxy config file as well as your log file on hand for them to take a look over!


#5

Thanks, for some reason the bind creds were throwing me off (not sure if they’re in docs?).

According to support:

The binding credentials for the [ad_client] section is the service_account_username and the service_account_password. The base DN should be configured in the AD client under search_dn. Please look at the following:
https://duo.com/docs/authproxy_reference#ad_client