Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Theo
Collaborator

Remote Access Users are unable to connect using LDAP account

Hi guys,

 

I almost checked everything but still I believed I missed something. I setup VPN Clients/ Mobile Access blade in our security gateway, in previous months we were able to authenticate Mobile Access users using their AD/LDAP (firstname.lastname) until one day It looks stopped and not working.

 

I enabled Identity awareness and had verified from another site with working Remote Access and signed-in using LDAP account. Appreciate if you can give me a lead before I open to TAC.

 

Cheers!

Theo

0 Kudos
5 Replies
abihsot__
Advisor

Hello,

There are so many things that could go wrong...

 

What is the error in the logs when user try to authenticate?

In account unit settings there is a username used to query ldap server. Is this account still active (no password change etc)?

Traffic is not blocked from the gateway to ldap server?

Have you created another account unit in the system while maintaining setting "query all account units" on the gateway?

0 Kudos
Theo
Collaborator

Creating another account unit is not an option at the moment. There were no dropped/blocked traffic to LDAP server.
0 Kudos
Maarten_Sjouw
Champion
Champion

Are you using secondary connect, you mentioned 'from another site'.
When you do and when there is only an AD server on the central location and between sites you only have a VPN, you need to know that this check will by default not be sent through the tunnel.
Regards, Maarten
0 Kudos
Theo
Collaborator

What I meant is Identity sharing. Just yesterday I enabled Mobile access in another security gateway (within the same VPN community), the Mobile Access in this site works and the login details is the LDAP account..
0 Kudos
Maarten_Sjouw
Champion
Champion

Remote Access logon works from the gateway itself directly to the AD server. When that AD server is at another location, across the VPN the packets will not be encrypted.
Identity sharing has no bearing at all for the RA solution.
You need to update the Implied rules file to exclude the AD traffic and allow it through the tunnel from the GW.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events