Hi all,
I'm trying to configure LDAP connection to authenticate VPN user with IPSec security. between my new ISA550 device and
Unfortunatly, it's impossible to launch a LDAP request from the router to my DC (Active Directory Win 2008 R2 with classic LAN configuration for a small company).
DC is configured on LAN port with 10.10.2.1 IP address. Maybe 10 user accounts are created into User container without schema modification and some security groups created.
I used the following configuration into User > User Authentication : LDAP + local database
I retreive always same error message : Server time out....
Please help me.
Thanks.
Hello Benoit,
Configuration steps documented in the below article may be of help.
Regards,
Nagaraja
Hello Nagaraj,
Thanks for your reply but I already tried to configure the router with this document.
I have the same error message....
I created a SSLVPN Policy, a security group, a "test" user,... like into documentation.
I have two questions :
1°) Is it possible to authenticate user with IPSec protocol (without SSLVPN)?
2°) Is it necessary to have the DC (AD Server) outside to LAN zone (like presented int page 2)?
Thanks again.
Regards.
Hi Benoit,
Server timeout typically means that the ISA is not receiving a response from the Server. Can you ping the Server from the ISA? Also, please try disabling (for testing only) the Firewall on the Server and test. We've seen cases where the Firewall on the Server was blocking the LDAP requests. Finally, you can run a packet capture on the ISA on the LAN to see what is going on with the LDAP communication.
Regarding your questions: Yes, you should be able to authenticate IPSec users and the Server can be on the inside (LAN). That was just an example they used on page 2.
Let me know if you have any questions regarding this.
Thanks,
Brandon
Hello Brandon,
Thanks for you answer.
To give you my feedback :
- Yes I can ping my DC from ISA.
- I have disabled Windows firewall on DC (turn off on all zones) and launch a query : I always received "Server TimeOut"...
- Ok for DC inside LAN zone (I seen it into troubleshooting part in the document...)
I will launch Packet Capture tool to see traffic on the first LAN port...
Regards.
Hi Benoit,
Ok, so if you can ping and you have disabled the firewall, then hopefully the packet captures will indicate what's going on.
Thanks,
Brandon
Brandon,
After investigation with packet captures, I receive this error :
LDAPMessage bindResponse(1) strongAuthRequired (00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1)
Do you know what's the problem?
Thanks.
Try ldap port 636
Sent from Cisco Technical Support Android App
Hello ciscomax,
Thanks for your reply.
I've tried with this port number. Always same error....
I tried to use a simple LDAP client (ldp.exe) to launch a request.
I seems that simple binding with windows account doesn't work...
I continue to investiguate...
Regards.
Please find returned error with ldp.exe calling :
res = ldap_simple_bind_s(ld, 'test',
Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required
Server error: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
Error 0x2028 A more secure authentication method is required for this server.res = ldap_simple_bind_s(ld, 'test',
Hm, I'm not really sure if the ISA supports LDAPS, perhaps you can change the windows server to accept cleartext bind?
Michael
Please rate all helpful posts
Hello ciscomax,
Yes I have turn off "LDAP server signing requirements" from "Require signing" to "None".
It works. I can launch a LDAP request from ISA to DC and now resolve a windows account.
I'm just a little affraid to have to deactivate a main policy of Active Directory to a VPN access to my users....
Do you know if it's possible to find another way ? Really I think it's unsecure....
You could check policy in screenshot.
Regards.
You could use Radius, the credentials are secured with the shared secret.
No high security, but ok for this.
Michael
Please rate all helpful posts