I opened a case and it actually ended up sending an incorrect password in the bindrequest. We modified the source back to use cleartext port 389 so we could see what was being sent.
Changed the password to be 12 characters with a mix of alphanumeric and special characters and no issues.
Maybe it didn't like the 16 character length?
Original Message:
Sent: Aug 29, 2023 02:43 PM
From: KeithK_LC
Subject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
Just a long shot, but do any of the certs being used to communicate to your auth sources use the IP address that was assigned to the DATA port in the SAN field? Just looking for a connection between the DATA port and the certs/SSL as that is usually where an failure to kickoff handshaking would occur.
Original Message:
Sent: Aug 29, 2023 02:25 PM
From: Bruce Osborne
Subject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
Is this a physical server or virtual machine? IIRC with VMs there could be an issue with which MAC Address is the higher number? On my Lab VMS I enable both interfaces & CPPM uses the one it prefers. I have never configured both interfaces.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Aug 28, 2023 08:28 PM
From: pmonardo
Subject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
As I understand it, if the DATA interface is configured on CPPM, it will interface and connect to services like LDAPS, SMTP delivery, AD joining, etc. It will also be the default interface to respond to radius requests unless a request is specifically made to the MGMT port.
We have a cluster of 2 CPPMs and we have decided to not use the DATA interface anymore (for all the reasons that it shouldn't have been configured in the first place) therefore we unconfigured them on PUB and SUB. This reset the default route back to the MGMT interface, all is well except...
My AD auth sources are not behaving correctly, I get errors like invalid username/password (even though we have reset it on AD and retyped it on CPPM) or Error: Couldn't kickstart handshaking.
Both CPPMs are joined to the domain. 2 out of the 4 AD auth sources are working. The 2 that are working have a Bind DN that is not a UPN. The other two use an account. I have tested that account via the CLI using the "ad auth" command and it returns succesful.
Everything worked prior to the removal of the DATA interface obviously because that interface communicated to AD.
Rebooting both CPPMs has not done anything. I have tried to reconfigure the AD Auth sources from scratch and have made sure the networking to get to those auth sources is correct. It discovers the netbios name but I can't search the Base DN.
We needed to add 2 more servers and those two are giving us that error Error: Couldn't kickstart handshaking.
Specifically.
Unable to connect to the server.
Error: Couldn't kickstart handshaking
I am at a loss on how to resolve this....any ideas would be appreciated.
EDIT: So it didn't seem related to the removal of the DATA interface whatsoever on the surface