Objective: To resolve issues that arise while setting up Firepower AnyConnect authentication with LDAP/AD.
Issue description:
The issue arises when Firepower Threat Defense (FTD) can't effectively communicate with the authentication server for VPN authentication which could lead to a "Login error" or "No such server" message. This occurs when your LDAPS protocol isn't recognized or trusted by VPN authentication server.
Follow these steps to resolve the authentication issues:
- Open the .cer file of the certificate authority (CA) certificate using a text editor.
- This file can be created by requesting for a certificate using the CLI of FTD.
- Type openssl genrsa -out FTD-1.key 2048 to generate a private key.
- Type openssl req -new -key FTD-1.key -out FTD-1.csr to create a CSR file.
- Send the CSR file to the CA.
- The CA now signs and generates the CA certificate.
- Run certsrv.msv command to open the Certification Authority dialogue box to find the certificate file.
- Install the certificate and restart active directory.
- You can now view that CA certificate is Privacy Enhanced Mail (PEM) encoded .
- Copy the contents of the certificate.
- Open Firepower Management Center (FMC) and enter a name ( Example: LDAPS-CA).
- Under CA Information tab, select the enrollment type as Manual from the drop-down box.
- In the space provided for CA Certificate, paste the copied certificate text.
- Click on Save button.
- Next, on FMC go to Devices tab.
- Open Certificates and click on Add.
- In the Add New Certificate dialogue box, choose your Firepower Threat Defense (FTD) in the device name and your manually created certificate name as entered in step 4.
- Click Add, and then Save, and deploy this to your FTD.
Now, we can authenticate into the FMC using AD credentials successfully.