locked
MFA not taking authentication from firewall. RRS feed

  • Question

  • Have server installed separately from domain controllers.  Need to have my ASA connect to the MFA server.  However it doesn't connect or test properly when I point to the MFA server.   Test from within MFA server work.  I am able to pull users from AD.  I can then test text and phone call 2 factor (haven't set up mobile yet).  However from my ASA I cannot even make the connection when I go into test it from AAA server group.  Maybe it is not passing through the LDAP credentials?  Or maybe I need to set up the same LDAP user on the MFA server?

    Running MFA on Windows 2012 and have ASA5515-X running:

    Cisco Adaptive Security Appliance Software Version 9.6(2)2
    Device Manager Version 7.6(2)150

    MFA server 7.1.2.1

    Thursday, January 5, 2017 7:25 PM

All replies

  • Hi, 
    Thank you for contacting Microsoft forums. We are pleased to answer your query.

    Azure Multi-Factor Authentication seamlessly integrates with your Cisco ASA VPN appliance to provide additional security for Cisco AnyConnect VPN logins and portal access. This can be done using either the LDAP or RADIUS protocol.
    Kindly refer the documentation on Cisco ASA VPN Appliance and Azure Multi-Factor Authentication in the following link below: 
    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-advanced-vpn-configurations#cisco-asa-vpn-appliance-and-azure-multi-factor-authentication

    I hope that the reply will assist you in getting your query addressed. In case you require further assistance, please do reply to the thread as we are always available to your queries. 

    Regards
    Vijisankar
    Friday, January 6, 2017 9:41 AM
  • I have followed that document and I am able to see that the server is up and running as its listening on TCP 389 and TCP 636.

    However when testing from the firewall to the MFA server the test fails.  The logging on shows the following for secure and non secure LDAP queries.

    2017-01-09T15:30:13.427901Z|e|3904|3976|trace|w|LdapProxyServer|Cannot accept new SSL connection from x.x.x.x. Server certificate was not properly loaded.
    2017-01-09T15:36:20.846303Z|e|3904|3976|trace|w|LdapProxyServer|Cannot accept new SSL connection from x.x.x.x. Server certificate was not properly loaded.
    2017-01-09T15:38:01.021486Z|e|3904|3976|trace|w|LdapProxyServer|Cannot accept new SSL connection from x.x.x.x. Server certificate was not properly loaded.
    2017-01-09T15:39:32.680768Z|i|3904|3132|LdapServerSslConnection|SSL handshake with server ASAx.x.x.x:636 succeeded.
    2017-01-09T15:39:32.680768Z|i|3904|3132|LdapProxyContext|Proxying data between ASAx.x.x.x:45674 -> DCx.x.x.x:636
    2017-01-09T15:39:32.680768Z|i|3904|2616|LdapProxyContext|Received LDAP bind request from DCx.x.x.x:45674.
    2017-01-09T15:39:32.680768Z|i|3904|2616|BindRequestMessage|User name for Simple authentication is: "CN=LDapAdmin,OU=ServiceAccounts,OU=IT,OU=Users,DC=nexus,DC=internal"
    2017-01-09T15:39:32.680768Z|i|3904|3132|LdapProxyContext|Received LDAP bind response. ResultCode = Success.
    2017-01-09T15:39:32.680768Z|i|3904|3132|LdapProxyContext|Removed bind context between ASAx.x.x.x:45674 ->  DCx.x.x.x:636
    2017-01-09T15:39:32.680768Z|i|3904|3132|LdapProxyContext|Doing PhoneFactor authentication for user: "CN=El Dap,OU=ServiceAccounts,OU=IT,OU=Users,OU=WEG,DC=nexus,DC=internal". RequireUserMatch=true
    2017-01-09T15:39:32.696393Z|i|3904|3132|LdapProxyContext|PhoneFactor authentication failed (rawCallStatus: -101).
    2017-01-09T15:39:32.696393Z|i|3904|3132|LdapProxyContext|Sending failed bind response and closing connection...
    2017-01-09T15:39:32.696393Z|e|3904|2616|LdapClientConnection|Failed to read from client ASAx.x.x.x:45674: The network connection was aborted by the local system (0x04D4 = 1236)
    2017-01-09T15:39:32.696393Z|e|3904|3132|LdapServerSslConnection|Failed to read from server  DCx.x.x.x:636: The network connection was aborted by the local system (0x04D4 = 1236)
    2017-01-09T15:39:32.696393Z|i|3904|3132|LdapClientConnection|Object for client connectionASAx.x.x.x:45674 destroyed.
    2017-01-09T15:39:32.696393Z|i|3904|3132|LdapServerConnection|Object for server connection  DCx.x.x.x:636 destroyed.
    2017-01-09T15:39:32.696393Z|i|3904|2616|LdapProxyContext|LdapProxyContext was destroyed.

    Monday, January 9, 2017 3:44 PM
  • Hi,

    You needs to have the LDAP bind account imported in the MFA server and MFA disabled and set to succeed authentication
    And also the test from the ASA appliance will always fail as is not passing an username to authenticate, so you need to make the test with a full authentication workflow.

    Regards,

    Vijisankar


    Wednesday, January 11, 2017 10:42 AM
  • Did you ever get this resolved? I'm trying the same thing, getting my ASA to use AzureMFA for 2FA, I can see ports 636 and 389 are listening, I can connect using other methods, but can never successfully test from my ASA.

    Tuesday, June 19, 2018 10:53 PM
  • @CrazyLefty - I would suggest you to check the logs from ASA to MFA server and also make the test with a full authentication workflow. You may also contact cisco community for this - https://supportforums.cisco.com/t5/vpn/bd-p/6001-discussions-vpn

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. 

    Wednesday, June 20, 2018 6:44 PM
  • Just checking in if you have had a chance to see the previous response. If that answers your query, do click “Mark as Answer” and Up-Vote for the same. If you have any further query, then do let us know.

    Saturday, June 23, 2018 11:09 AM