[cisco-voip] [EXT] Re: Field Notice from Cisco making Secure LDAP mandatory

Daniel Pagan dpagan at fidelus.com
Thu Feb 13 13:36:50 EST 2020


Just a heads up – I spoke w/ TAC who then spoke with the authors of the bulletin. They agreed to update the article to better reflect the new timeline posted by Microsoft and add clarification that LDAP functionality will not in fact break in March due to the patch expected in that month. The update will contain something along the lins of:

“This [Microsoft] security update is not expected to become mandatory until fall 2020. However, it's recommended that you update your Cisco Collaboration deployment to use Secure LDAP as soon as possible. This will both secure your LDAP connection and will also ensure that services remain up and running when the security update becomes mandatory.”

- Daniel Pagan

From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Daniel Pagan
Sent: Tuesday, February 11, 2020 2:36 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca>; Matthew Loraditch <MLoraditch at heliontechnologies.com>
Cc: voyp list, cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [EXT] Re: Field Notice from Cisco making Secure LDAP mandatory

Whoops – sent the email a bit prematurely…

Here’s a link to that VMware article with a recent update mentioning that defaults will not be changing in March.

https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html

It seems the Cisco article is a bit behind and needs to be updated. Hopefully this buys everyone some time, especially for those supporting a number of environments.

- Daniel Pagan


From: Daniel Pagan
Sent: Tuesday, February 11, 2020 2:33 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>; Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Cc: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: RE: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory

It does not appear Microsoft will be enforcing LDAP over TLS with this upcoming patch. While the original plan was indeed to tighten this up, it seems this requirement is being delayed until after Q2 of the year.

The advisory was updated February 4th and shows:
Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.
A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.
I found that VMware updated their advisory to reflect this recent change to Microsoft’s timeline two days later:
“Update (2/6/2020): On February 4, 2020 Microsoft changed their guidance for the March 2020 Windows Updates to indicate that the defaults will NOT be changing in that update.”




From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Sunday, February 9, 2020 6:05 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Cc: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory

I believe we had to load two certs.

And, after loading certs, restart tomcat.


Sent from my iPhone

On Feb 9, 2020, at 5:23 PM, Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>> wrote:
Interesting. Our root cert is and has been loaded, but I’m still using just the IPs so normally that would make the handshake fail.

Get Outlook for iOS<https://aka.ms/o0ukef>

Matthew Loraditch​
Sr. Network Engineer
p: 443.541.1518<tel:443.541.1518>
w: www.heliontechnologies.com<http://www.heliontechnologies.com/>
 |
e: MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>
<image367180.png><http://www.heliontechnologies.com/>
<image755198.png><https://facebook.com/heliontech>
<image389775.png><https://twitter.com/heliontech>
<image921900.png><https://www.linkedin.com/company/helion-technologies>
<image157220.jpg>
________________________________
From: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Sent: Sunday, February 9, 2020 5:15:40 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Cc: James Buchanan <james.buchanan2 at gmail.com<mailto:james.buchanan2 at gmail.com>>; voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory

[EXTERNAL]


I couldn’t get secure ldap to work without loading the certificates from the AD servers. I also had more luck using the global catalog ports.
Sent from my iPhone

On Feb 9, 2020, at 5:05 PM, Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>> wrote:
I was wondering if they were going to post anything as it’s very unclear if ldap over tls was the fix.

Apparently (and amen) it is. Did it on our office system last week to see if it would work without any certificate needs. It just worked and during a save it will instantly tell you if it worked or not.

Outside of the most regimented environments you should be able to just make the change. If it fails talk to your AD team as they would likely have something blocked or disabled.

Get Outlook for iOS<https://aka.ms/o0ukef>

Matthew Loraditch​
Sr. Network Engineer
p: 443.541.1518<tel:443.541.1518>
w: www.heliontechnologies.com<http://www.heliontechnologies.com/>
 |
e: MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>
<image502755.png><http://www.heliontechnologies.com/>
<image552534.png><https://facebook.com/heliontech>
<image068119.png><https://twitter.com/heliontech>
<image315640.png><https://www.linkedin.com/company/helion-technologies>
<image132003.jpg>
________________________________
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of James Buchanan <james.buchanan2 at gmail.com<mailto:james.buchanan2 at gmail.com>>
Sent: Sunday, February 9, 2020 4:57:40 PM
To: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory

[EXTERNAL]

Hello folks,

I know you all needed some more work. I sure did! So here you are!

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html

I'm interested in any early thoughts on other integrations--vCenter, ISE, VPN, TACACS, etc. I assume it applies across the board.

Thanks,

James

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200213/8c811190/attachment.htm>


More information about the cisco-voip mailing list