cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2660
Views
0
Helpful
12
Replies
Highlighted
Beginner

ISA550 - LDAP authentication configuration problem

Hi all,

I'm trying to configure LDAP connection to authenticate VPN user with IPSec security. between my new ISA550 device and

Unfortunatly, it's impossible to launch a LDAP request from the router to my DC (Active Directory Win 2008 R2 with classic LAN configuration for a small company).

DC is configured on LAN port with 10.10.2.1 IP address. Maybe 10 user accounts are created into User container without schema modification and some security groups created.

I used the following configuration into User > User Authentication : LDAP + local database

I retreive always same error message : Server time out....

Please help me.

Thanks.

12 REPLIES 12
Highlighted
Cisco Employee

Hello Benoit,

Configuration steps documented in the below article may be of help.

http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/ad_radius/isa500_ad_radius_appnote.pdf

Regards,

Nagaraja

Highlighted

Hello Nagaraj,

Thanks for your reply but I already tried to configure the router with this document.

I have the same error message....

I created a SSLVPN Policy, a security group, a "test" user,... like into documentation.

I have two questions :

1°) Is it possible to authenticate user with IPSec protocol (without SSLVPN)?

2°) Is it necessary to have the DC (AD Server) outside to LAN zone (like presented int page 2)?

Thanks again.

Regards.

Highlighted

Hi Benoit,

Server timeout typically means that the ISA is not receiving a response from the Server.  Can you ping the Server from the ISA?  Also, please try disabling (for testing only) the Firewall on the Server and test.  We've seen cases where the Firewall on the Server was blocking the LDAP requests.  Finally, you can run a packet capture on the ISA on the LAN to see what is going on with the LDAP communication.

Regarding your questions:  Yes, you should be able to authenticate IPSec users and the Server can be on the inside (LAN).  That was just an example they used on page 2.

Let me know if you have any questions regarding this.

Thanks,

Brandon

Highlighted

Hello Brandon,

Thanks for you answer.

To give you my feedback :

- Yes I can ping my DC from ISA.

- I have disabled Windows firewall on DC (turn off on all zones) and launch a query : I always received "Server TimeOut"...

- Ok for DC inside LAN zone (I seen it into troubleshooting part in the document...)

I will launch Packet Capture tool to see traffic on the first LAN port...

Regards.

Highlighted

Hi Benoit,

Ok, so if you can ping and you have disabled the firewall, then hopefully the packet captures will indicate what's going on. 

Thanks,

Brandon

Highlighted

Brandon,

After investigation with packet captures, I receive this error :

LDAPMessage bindResponse(1) strongAuthRequired (00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1)

Do you know what's the problem?

Thanks.

Highlighted
Contributor

Try ldap port 636


Sent from Cisco Technical Support Android App

Michael Please rate all helpful posts
Highlighted

Hello ciscomax,

Thanks for your reply.

I've tried with this port number. Always same error....

I tried to use a simple LDAP client (ldp.exe) to launch a request.

I seems that simple binding with windows account doesn't work...

I continue to investiguate...

Regards.

Highlighted

Please find returned error with ldp.exe calling :

res = ldap_simple_bind_s(ld, 'test', ); // v.3

Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required

Server error: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1

Error 0x2028 A more secure authentication method is required for this server.res = ldap_simple_bind_s(ld, 'test', ); // v.3

Highlighted

Hm, I'm not really sure if the ISA supports LDAPS, perhaps you can change the windows server to accept cleartext bind?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
Highlighted

Hello ciscomax,

Yes I have turn off "LDAP server signing requirements" from "Require signing" to "None".

It works. I can launch a LDAP request from ISA to DC and now resolve a windows account.

I'm just a little affraid to have to deactivate a main policy of Active Directory to a VPN access to my users....

Do you know if it's possible to find another way ? Really I think it's unsecure....

You could check policy in screenshot.

Regards.

Highlighted

You could use Radius, the credentials are secured with the shared secret.

No high security, but ok for this.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts