Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gaurav_Pandya
Advisor

LDAP Authentication failed in SSL VPN

Hi All,

We are facing issue of authentication fail with LDAP for some of the users in Mobile SSL VPN. However other users are working fine even though they are in same group. In tracker it is showing like,

Action : Failed Log in

Reason : No Access rule defined for user

I have followed sk112374 and finally captured cvpnd.elg file for working user as well as non-working user. But there is no much difference in logs for both users. Below is the errors which is shown in cvpnd.elg

[ 4335][23 Jan 14:15:16][AUTHNMAN] [CVPN_INFO] Cvpn::AuthSession::updateLogReason: Not authenticated, reason: (No access rules defined for user) Methods: (Password)

[ 4335][23 Jan 14:15:16][AUTHNMAN] [CVPN_INFO] Cvpn::AuthSession::createGroupsCollection: User not authenticated

 

Error Message = >

[ 4335][23 Jan 14:15:52][CPLDAPCL] Using LDAP bind authentication

[ 4335][23 Jan 14:15:52][CPLDAPCL] Params<dn = 'CN=JSmith-Lakow,OU=Information

 

0 Kudos
8 Replies
Vladimir
Champion
Champion

Gaurav,

Please specify version, show the actual access rule, show the LDAP tree that contains this group, i.e.:

Participating user groups:

 

As per documentation (see text in red towards the end):

User Authentication to the Mobile Access Portal

To enter the Mobile Access portal and get access to its applications, users defined in SmartConsole must authenticate to the Security Gateway. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:

  • Username and password - Users enter a user name and password.
  • Client Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party OPSEC certified Certificate Authority.
  • RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme. The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartConsole.

    For more about configuring a Security Gateway to use a RADIUS server, see the R80.10 Security Management Administration Guide.

  • SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of hardware or software that is synchronized with the central server and displays the current password. The Security Gateway forwards authentication requests by remote users to the ACE/Server.

    For more about configuring a Security Gateway to use SecurID, see the R80.10 Security Management Administration Guide.

  • DynamicID One Time Password - DynamicID One Time Password can be required as a secondary or later authentication method (not the first). When this is configured, users who successfully complete the first-phase or phases of authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent by email or text message to a mobile phone, or other mobile communication device.
  • Defined on user record (Legacy Authentication) - The authentication method for each user is defined on the user record. For internal users, it is in the Authentication page of the User Properties. For LDAP users, it is on the user record in LDAP.

A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access gateway will not be allowed to access resources through the gateway.

0 Kudos
Gaurav_Pandya
Advisor

Hi Vladimir,

Checkpoint version is R77.30. I have not done LDAP integration with user directory.

During enabling of Mobile Access blade, it asks weather you want to integrate with LDAP or not.  There I have put credentials of LDAP server so I am able to see LDAP users.

0 Kudos
Vladimir
Champion
Champion

Do your Gateway Properties settings allow for Legacy Auth?

and the users themselves are configured with "OS Password" authentication?

From Documentation:

OS Password - means that users are challenged to enter their Operating System password for the Security Management Server. There are no scheme-specific parameters for this authentication scheme.

The Security Gateway can authenticate using the user name and password that is stored on the operating system of the machine on which the Security Gateway is installed. You can also use passwords that are stored in a Windows domain.

Also, please check if you are not running into situation described here: 

Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly 

0 Kudos
Gaurav_Pandya
Advisor

Hi,

In Gateway Properties --> Authentication --> "Username & Password" is selected.

I am having issue with some LDAP users. Local users are working fine.

0 Kudos
Vladimir
Champion
Champion

If you have "Username and Password" selected, only the users defined on the gateway will be authenticated, not the LDAP users, for that you should use "Legacy Authentication" and use "OS Password" on individual user's properties:

Gaurav_Pandya
Advisor

Finally I have raised TAC case. Let see how it goes.

I will update the findings

0 Kudos
Gaurav_Pandya
Advisor

Hi,

Finally LDAP authentication issue is resolved. There are 2 LDAP account and in which same AD server is included. In one LDAP account the password for AD server was not correct so failing users were going to this LDAP account and failing to authenticate. Now correct password is given and everything is working fine.

 

Gaurav_Pandya
Advisor

Hi,

To add more on this we have decided to delete additional LDAP account unit which is causing unnecessary issue. But I am not able to delete LDAP account unit, getting error "Account_Unit is used by another object" while deleting LDAP account unit.

I have followed sk111081 and removed AD users from Mobile access policy then deleted additional LDAP account unit. After that again added AD users in policy so that it will be authenticated by single AD/ LDAP account unit.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events