I need help desperately.
I have a P-1 NGx R61 with HFA_01 running on Redhat Linux
ES. P-1 Manager is 192.168.114.9/24 and P-1 Container
is 192.168.109.10/24. The CMA is 192.168.109.14/24.
The CMA manages a Nokia IP560. Everything has valid
license. I even have LDAP license module as well and
also the VSR license. The Nokia is running
IPSO 4.1 build 33 with NGx R61 with HFA_01.
Everything is synchronizing properly with a
stratum 1 NTP server, including the Microsoft
Windows 2003 AD server
I have a Microsoft Windows 2003 Active Directory (AD)
Server with IP address of 192.168.109.8/24. The
AD server is running Service Pack 2.
I tested Remote access vpn with checkpoint internal
account and everything works.
I need to authenticate SecureRemote Users with LDAP
authentication. I did the following:
0) Enable LDAP under SmartDirectory of global properties
1) Under the template, create "ldap_users" and select
"Checkpoint password" for authentication scheme,
2) Manage-->Servers and OPSEC Applications-->New--
LDAP account unit. Give it a name, profile I
select Microsoft_AD. Select "CRL retrieval" and
"user management". I called it "MS_LDAP".
3) Under "Servers" tab, I enter the AD Server host
object. Under "login DN", I specified "CN=Administrator"
and the password of the Administrator account on the
AD server.
4) Under encryption tab of Servers tab, I select "use
SSL for port 636" and everything to "strong". When
I clicked on the "fetch", I get the fingerprint
from the AD server
5) Early Version Compability server, I specified
the AD server host object,
6) Under "object management" tab, I specified the AD
as the Manage object on. When I fetch branche, I get
the DC and CN, and stuffs like that so I know that
the CMA can communicated with the AD. By the way,
this is a very simple AD. single AD with a the root
domain of LAB,
7) Under the authentication tab, I select all the
authentication and the users' default values, I used
the 'ldap_users' user template that I created in
step 2,
8) Create a LDAP group name vpntest. Under Account
unit of this windows, I specified "MS_LDAP" in the
"account unit",
9) Create VPN remote access community with
the Nokia gateway cluster and the "vpntest" LDAP
group.
10) Create vpn rule. By the way, my cleanup
rule is Any Any accept for testing purpose.
The weird part is that if I double clicked
on the MS_LDAP object, I get:
failed to bind to LDAP server. Wrong user
name, password or DN login. What does that
mean?
Another thing is that when I use SecureRemote
to login, it always failed and that in the
smartview tracker, I get "IKE failure:
client unknown user". tcpdump from the P-1
showed that there is NO tcp 389 or tcp 636
traffics leaving the CMA and heading to the
Microsoft AD server.
I heard that I have to run "ldapmodify" on the
CMA and modify the the schema_microsoft_ad.ldif
or something like that. How do I go about doing
it? I thought this is only necessary if you have
to manage account with the dashboard.
Has someone done this before with Provider-1
and get it to work? Please show me the way.
Thank you very much.
---------------------------------
Pinpoint customers who are looking for what you sell.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
