In one of the in-house CCSA training, we encountered the same issue and in our case it had to do w/ the 'password' that we were using for the users in Windows2003 AD containing special charcater '@' (as an example) which CP refused to accept - we changed it to some simple alphanumeric characters w/o any special characters after which it worked fine. You may like to rule it out before we go further. hth, Rajeev
On 7/18/07, cisco4ng <[EMAIL PROTECTED]> wrote:
I need help desperately. I have a P-1 NGx R61 with HFA_01 running on Redhat Linux ES. P-1 Manager is 192.168.114.9/24 and P-1 Container is 192.168.109.10/24. The CMA is 192.168.109.14/24. The CMA manages a Nokia IP560. Everything has valid license. I even have LDAP license module as well and also the VSR license. The Nokia is running IPSO 4.1 build 33 with NGx R61 with HFA_01. Everything is synchronizing properly with a stratum 1 NTP server, including the Microsoft Windows 2003 AD server I have a Microsoft Windows 2003 Active Directory (AD) Server with IP address of 192.168.109.8/24. The AD server is running Service Pack 2. I tested Remote access vpn with checkpoint internal account and everything works. I need to authenticate SecureRemote Users with LDAP authentication. I did the following: 0) Enable LDAP under SmartDirectory of global properties 1) Under the template, create "ldap_users" and select "Checkpoint password" for authentication scheme, 2) Manage-->Servers and OPSEC Applications-->New-- LDAP account unit. Give it a name, profile I select Microsoft_AD. Select "CRL retrieval" and "user management". I called it "MS_LDAP". 3) Under "Servers" tab, I enter the AD Server host object. Under "login DN", I specified "CN=Administrator" and the password of the Administrator account on the AD server. 4) Under encryption tab of Servers tab, I select "use SSL for port 636" and everything to "strong". When I clicked on the "fetch", I get the fingerprint from the AD server 5) Early Version Compability server, I specified the AD server host object, 6) Under "object management" tab, I specified the AD as the Manage object on. When I fetch branche, I get the DC and CN, and stuffs like that so I know that the CMA can communicated with the AD. By the way, this is a very simple AD. single AD with a the root domain of LAB, 7) Under the authentication tab, I select all the authentication and the users' default values, I used the 'ldap_users' user template that I created in step 2, 8) Create a LDAP group name vpntest. Under Account unit of this windows, I specified "MS_LDAP" in the "account unit", 9) Create VPN remote access community with the Nokia gateway cluster and the "vpntest" LDAP group. 10) Create vpn rule. By the way, my cleanup rule is Any Any accept for testing purpose. The weird part is that if I double clicked on the MS_LDAP object, I get: failed to bind to LDAP server. Wrong user name, password or DN login. What does that mean? Another thing is that when I use SecureRemote to login, it always failed and that in the smartview tracker, I get "IKE failure: client unknown user". tcpdump from the P-1 showed that there is NO tcp 389 or tcp 636 traffics leaving the CMA and heading to the Microsoft AD server. I heard that I have to run "ldapmodify" on the CMA and modify the the schema_microsoft_ad.ldif or something like that. How do I go about doing it? I thought this is only necessary if you have to manage account with the dashboard. Has someone done this before with Provider-1 and get it to work? Please show me the way. Thank you very much. --------------------------------- Pinpoint customers who are looking for what you sell. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
