Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[fernando.w]

Hello all!

It is possible to use an AD user database to user authentication instead of a local user database?

Thanks in advance.

[danilovav]

It's possible in 2.26 firmware

[fernando.w]

Hi danilovav, thanks for answer.

I'm using the version 2.26.01. I tried to configure the "authentication rule"  with LDAP, but I don't have success.

I did the configuration of AD authentication rule like a local authentication rule, but also changing the authentication source to LDAP and selecting the Active Directory in "Authentication Options" tab. Moreover, I created the IP rules for allow access from vpn to lan.

So when I try to connect to DFL-800 with a windows xp client, it returns error 718 (someting about ppp timeout because the remote server did not responding). If I try to reconnect soon after, the windows xp returns error 691 (access denied - invalid username or password)

The DFL-800 log shows the following message:

2010-04-20 21:00:39    Warning    RULE 6000051    Default_Rule    TCP    wan1    76.186.73.219  189.85.129.40    1320 445    ruleset_drop_packet drop ipdatalen=28 tcphdrlen=28 syn=1
2010-04-20 21:00:31    Notice    PPTP 2700022    pptp_tunnel_closed iface=tunnel-pptp remotegw=201.14.187.189
2010-04-20 21:00:31    Notice    PPTP 2700008        pptp_session_closed iface=tunnel-pptp remotegw=201.14.187.189 callid=0
2010-04-20 21:00:11    Alert    USERAUTH 3700407      failed_admin_bind database connection disabled
database=ActiveDirectory
2010-04-20 21:00:10    Notice    PPTP 2700019    pptp_tunnel_up iface=tunnel-pptp remotegw=201.14.187.189

Can anybody help me?

Best regards,

[Fatman]

If you switch your auth rule to local database do you connect with the same auth rule?
Does your LDAP server have any logs of the auth requests?

[fernando.w]

Hi Fatman,

Yes, if I only switch the auth rule to local database it works. The Windows2003 server returns only three information log as follow (the logs are in Portuguese because of the Windows2003 server language):

Tipo de evento:   Informações
Fonte de evento:   NTDS LDAP
Categoria do evento:   Interface LDAP
Id. do evento:   1139
Data:      22/4/2010
Hora:      11:44:29
Usuário:      TESTE\maria
Computador:   TESTELDAP
Descrição:
Evento interno: a função ldap_search foi concluída com tempo transcorrido de 0 ms.

----------------------------------------------------------------------------------------------------

Tipo de evento:   Informações
Fonte de evento:   NTDS Database
Categoria do evento:   Processamento interno
Id. do evento:   1167
Data:      22/4/2010
Hora:      11:44:29
Usuário:      TESTE\maria
Computador:   TESTELDAP
Descrição:
Evento interno: o Active Directory usará o índice a seguir como o índice ideal para esta consulta.
 
Índice:
idx_sAMAccountName:1:N;

----------------------------------------------------------------------------------------------------

Tipo de evento:   Informações
Fonte de evento:   NTDS Database
Categoria do evento:   Processamento interno
Id. do evento:   1166
Data:      22/4/2010
Hora:      11:44:29
Usuário:      TESTE\maria
Computador:   TESTELDAP
Descrição:
Evento interno: o Active Directory pode usar o índice a seguir para otimizar uma consulta. A contagem de

registros aproximada para usar este índice é a seguinte.
 
Índice:
idx_sAMAccountName:1:N;
Contagem de registros:1

[Fatman]

When you are trying to log into the VPN remotely to generate these logs were you using the user and computer listed below.  These do not look like the kind of logs we should be seeing if we have failed auth going on.

Usuário:      TESTE\maria
Computador:   TESTELDAP

Try this then, run wireshark on the server and then reboot your firewall and try to remotely authenticate to the VPN, that way we can confirm if any traffic is even reaching the server.

[fernando.w]

Hi Fatman,

Follows the wireshark log, filtered only with LDAP data. The user called "administrador" is the admin user of the win2003 server. The host 192.168.186.128 is the Win2003 server IP and 192.168.186.254 is the DFL-800 IP. I'm investigating the message "comment: AcceptSecurityContext error".

No.     Time        Source                Destination           Protocol Info
     45 20.726967   192.168.186.254       192.168.186.128       LDAP     bindRequest(3) "administrador" simple

Frame 45 (100 bytes on wire, 100 bytes captured)
Ethernet II, Src: D-Link_1a:3b:33 (00:21:91:1a:3b:33), Dst: Vmware_2d:9e:e1 (00:0c:29:2d:9e:e1)
Internet Protocol, Src: 192.168.186.254 (192.168.186.254), Dst: 192.168.186.128 (192.168.186.128)
Transmission Control Protocol, Src Port: tcoregagent (1976), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 46
Lightweight-Directory-Access-Protocol
    LDAPMessage bindRequest(3) "administrador" simple
        messageID: 3
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: administrador
                authentication: simple (0)
                    simple: 6469676974726F
        [Response In: 46]

No.     Time        Source                Destination           Protocol Info
     46 20.730257   192.168.186.128       192.168.186.254       LDAP     bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece)

Frame 46 (163 bytes on wire, 163 bytes captured)
Ethernet II, Src: Vmware_2d:9e:e1 (00:0c:29:2d:9e:e1), Dst: D-Link_1a:3b:33 (00:21:91:1a:3b:33)
Internet Protocol, Src: 192.168.186.128 (192.168.186.128), Dst: 192.168.186.254 (192.168.186.254)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: tcoregagent (1976), Seq: 1, Ack: 47, Len: 109
Lightweight-Directory-Access-Protocol
    LDAPMessage bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece)
        messageID: 3
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: invalidCredentials (49)
                matchedDN:
                errorMessage: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
        [Response To: 45]
        [Time: 0.003290000 seconds]