topic Re: Remote Access Users are unable to connect using LDAP account in SASE and Remote Access

Remote Access Users are unable to connect using LDAP account

Theo — Sat, 25 Jan 2020 15:17:28 GMT

Hi guys,

I almost checked everything but still I believed I missed something. I setup VPN Clients/ Mobile Access blade in our security gateway, in previous months we were able to authenticate Mobile Access users using their AD/LDAP (firstname.lastname) until one day It looks stopped and not working.

I enabled Identity awareness and had verified from another site with working Remote Access and signed-in using LDAP account. Appreciate if you can give me a lead before I open to TAC.

Cheers!

Theo

Re: Remote Access Users are unable to connect using LDAP account

abihsot__ — Wed, 29 Jan 2020 10:57:37 GMT

Hello,

There are so many things that could go wrong...

What is the error in the logs when user try to authenticate?

In account unit settings there is a username used to query ldap server. Is this account still active (no password change etc)?

Traffic is not blocked from the gateway to ldap server?

Have you created another account unit in the system while maintaining setting "query all account units" on the gateway?

Re: Remote Access Users are unable to connect using LDAP account

Maarten_Sjouw — Wed, 29 Jan 2020 11:38:36 GMT

Are you using secondary connect, you mentioned 'from another site'.
When you do and when there is only an AD server on the central location and between sites you only have a VPN, you need to know that this check will by default not be sent through the tunnel.

Re: Remote Access Users are unable to connect using LDAP account

Theo — Wed, 29 Jan 2020 15:02:57 GMT

What I meant is Identity sharing. Just yesterday I enabled Mobile access in another security gateway (within the same VPN community), the Mobile Access in this site works and the login details is the LDAP account..

Re: Remote Access Users are unable to connect using LDAP account

Theo — Wed, 29 Jan 2020 15:03:58 GMT

Creating another account unit is not an option at the moment. There were no dropped/blocked traffic to LDAP server.

Re: Remote Access Users are unable to connect using LDAP account

Maarten_Sjouw — Wed, 29 Jan 2020 15:08:13 GMT

Remote Access logon works from the gateway itself directly to the AD server. When that AD server is at another location, across the VPN the packets will not be encrypted.
Identity sharing has no bearing at all for the RA solution.
You need to update the Implied rules file to exclude the AD traffic and allow it through the tunnel from the GW.