Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA550 - LDAP authentication configuration problem

Hi all,

I'm trying to configure LDAP connection to authenticate VPN user with IPSec security. between my new ISA550 device and

Unfortunatly, it's impossible to launch a LDAP request from the router to my DC (Active Directory Win 2008 R2 with classic LAN configuration for a small company).

DC is configured on LAN port with 10.10.2.1 IP address. Maybe 10 user accounts are created into User container without schema modification and some security groups created.

I used the following configuration into User > User Authentication : LDAP + local database

I retreive always same error message : Server time out....

Please help me.

Thanks.

Everyone's tags (3)
12 REPLIES
Cisco Employee

ISA550 - LDAP authentication configuration problem

Hello Benoit,

Configuration steps documented in the below article may be of help.

http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/ad_radius/isa500_ad_radius_appnote.pdf

Regards,

Nagaraja

New Member

ISA550 - LDAP authentication configuration problem

Hello Nagaraj,

Thanks for your reply but I already tried to configure the router with this document.

I have the same error message....

I created a SSLVPN Policy, a security group, a "test" user,... like into documentation.

I have two questions :

1°) Is it possible to authenticate user with IPSec protocol (without SSLVPN)?

2°) Is it necessary to have the DC (AD Server) outside to LAN zone (like presented int page 2)?

Thanks again.

Regards.

Cisco Employee

ISA550 - LDAP authentication configuration problem

Hi Benoit,

Server timeout typically means that the ISA is not receiving a response from the Server.  Can you ping the Server from the ISA?  Also, please try disabling (for testing only) the Firewall on the Server and test.  We've seen cases where the Firewall on the Server was blocking the LDAP requests.  Finally, you can run a packet capture on the ISA on the LAN to see what is going on with the LDAP communication.

Regarding your questions:  Yes, you should be able to authenticate IPSec users and the Server can be on the inside (LAN).  That was just an example they used on page 2.

Let me know if you have any questions regarding this.

Thanks,

Brandon

New Member

ISA550 - LDAP authentication configuration problem

Hello Brandon,

Thanks for you answer.

To give you my feedback :

- Yes I can ping my DC from ISA.

- I have disabled Windows firewall on DC (turn off on all zones) and launch a query : I always received "Server TimeOut"...

- Ok for DC inside LAN zone (I seen it into troubleshooting part in the document...)

I will launch Packet Capture tool to see traffic on the first LAN port...

Regards.

Cisco Employee

ISA550 - LDAP authentication configuration problem

Hi Benoit,

Ok, so if you can ping and you have disabled the firewall, then hopefully the packet captures will indicate what's going on. 

Thanks,

Brandon

New Member

ISA550 - LDAP authentication configuration problem

Brandon,

After investigation with packet captures, I receive this error :

LDAPMessage bindResponse(1) strongAuthRequired (00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1)

Do you know what's the problem?

Thanks.

Re:ISA550 - LDAP authentication configuration problem

Try ldap port 636


Sent from Cisco Technical Support Android App

Michael Please rate all helpful posts
New Member

Re:ISA550 - LDAP authentication configuration problem

Hello ciscomax,

Thanks for your reply.

I've tried with this port number. Always same error....

I tried to use a simple LDAP client (ldp.exe) to launch a request.

I seems that simple binding with windows account doesn't work...

I continue to investiguate...

Regards.

New Member

Re:ISA550 - LDAP authentication configuration problem

Please find returned error with ldp.exe calling :

res = ldap_simple_bind_s(ld, 'test', ); // v.3

Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required

Server error: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1

Error 0x2028 A more secure authentication method is required for this server.res = ldap_simple_bind_s(ld, 'test', ); // v.3

ISA550 - LDAP authentication configuration problem

Hm, I'm not really sure if the ISA supports LDAPS, perhaps you can change the windows server to accept cleartext bind?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA550 - LDAP authentication configuration problem

Hello ciscomax,

Yes I have turn off "LDAP server signing requirements" from "Require signing" to "None".

It works. I can launch a LDAP request from ISA to DC and now resolve a windows account.

I'm just a little affraid to have to deactivate a main policy of Active Directory to a VPN access to my users....

Do you know if it's possible to find another way ? Really I think it's unsecure....

You could check policy in screenshot.

Regards.

ISA550 - LDAP authentication configuration problem

You could use Radius, the credentials are secured with the shared secret.

No high security, but ok for this.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
2136
Views
0
Helpful
12
Replies
CreatePlease login to create content