Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Contributor

Problems with using UPN for remote access

 

hi,

I am currently trying to assist a customer with changing login name from SAM to UPN for their remote access environments.

I have changed the CustomLoginAttr to  |(sAMAccountName=<<>>)(UserPrincipalName=<<>>) and changed lookup_type to custom.

 

We are still getting "unknown user" when they try to log in.

As they are using access roles, i changed the same settings for all IA settings here as well, but no success.

I believe something on the firewall is blocking this, as we dont get any hits on the nps server, and tcpdumps show no traffic on port 1812 when they attempt to log in.

Are there any more settings that needs to be done, in order to get UPN to work?

 

 

 

0 Kudos
8 Replies
the_rock
Legend
Legend

Did you make sure auth method under gateway office mode properties is correct?

0 Kudos
KM1895
Contributor

hi, 

i believe so, but can always get a verification from the customer on this one.

 

 

 

0 Kudos
KM1895
Contributor

hi, again

 

All the settings for authentication appear to be correct. it is currently set to default on ldap lookup type. If i change it to UPN, it still gives the same result, as in nothing hitting the nps server.

 

The radius authentication is working for SAM, but when changing to UPN, we dont see anything.

The users will connect, and the radius traffic is then sent over vpn to another site. But here, we dont see anything when testing, so this is leading me to suspect an issue on the checkpoint, rather than the radius setup. Even if the radius was the issue, we would have still seen the requests come in when doing a tcpdump on the relevant gateways.

 

Could this be a possible TAC case?

 

 

 

0 Kudos
_Val_
Admin
Admin

I am confused. Do you mean VPN, maybe?

0 Kudos
KM1895
Contributor

hi, Val

 

Im slightly confused by this case myself.

 

As it stands today, users log on to their Remote Access using their SAM, with Azure MFA enabled. This works just fine.

When switching to UPN, we dont get anywhere. No requests is sent to the radius servers(over site2site vpn). They use MUH, and i have tried changing the settings here as well, but still get the same result.

 

As for now, i will contact TAC, to see if they can assist further as well, as the customer wants this up and running.

 

 

0 Kudos
_Val_
Admin
Admin

Sorry, it seems I originally misread your post. UserPrincipalName authentication should work.

Look into sk110858. It is not your case, but please check the mentioned parameters anyway, specificallyUserLoginAttr.

If it is as ti should be, open a TAC case.

the_rock
Legend
Legend

I second what @_Val_ told you. That sk seems pretty details, so hopefully it helps. If not, then TAC would be your best bet.

0 Kudos
Shira
Participant

Hi,

Got solution.?

0 Kudos