I've just installed a new WSA S650 with AsyncOS 5.6.0-623. We have enabled group authentication with LDAP using an Active Directory W2K3 and we are facing a strange issue, randomly users are not being matched to his/her AD Group then Default Policy match blocking access to all categories by default.
This is an authentication log for the same user at different time, in the second one user wasn't able to surf. No changes were made on AD.
Authentication process is completely redone and handled in much better way in version 5.6 compared to prior versions. Infact, it would a good idea to upgrade to the latest version available 5.6.4-013.
You can use the "testauthconfig" CLI command to test authentication settings defined for a LDAP realm. If you do not notice success on all the test parameters, there is something wrong in the way authentication is configured. Mostly importantly, this test will confirm if WSA is able to fetch group information from AD server.
I ran "testauthconfig" and all seems be ok, but i still have problems since sometimes groups are not fetched. As workaround I have to add single users in access policy.
This is the testauthconfig output:
Checking DNS resolution of WSA hostname(s)... Success: Resolved 'wsa.ironports.fahorro.com.mx' address: 22.214.171.124
Checking DNS resolution of LDAP Server(s)... Success: Resolved '172.20.33.82' address: 172.20.33.82 Success: Resolved '172.20.33.81' address: 172.20.33.81
Checking connectivity of LDAP Server(s)... Success: Server '172.20.33.82' responding to queries on port 3268. Success: Server '172.20.33.81' responding to queries on port 3268.
Checking the type of LDAP Server(s)... Success: Able to query server information from '172.20.33.82' Success: Able to query server information from '172.20.33.81'
Checking if Referrals are enabled... Success: Referral option is disabled.
Attempting to fetch user information... Success: Able to query for User Information from server '172.20.33.82'.Number of users exceeds 1000 or the server size limit. Success: Able to query for User Information from server '172.20.33.81'.Number of users exceeds 1000 or the server size limit.
Attempting to fetch group information... Success: Able to query for Group Information from server '172.20.33.82'.Number of groups fetched: 121. Success: Able to query for Group Information from server '172.20.33.81'.Number of groups fetched: 121. LDAP test complete
Is there any tool or trobleshooting available in order to findout what's happening?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...