As I understand it, if the DATA interface is configured on CPPM, it will interface and connect to services like LDAPS, SMTP delivery, AD joining, etc. It will also be the default interface to respond to radius requests unless a request is specifically made to the MGMT port.
We have a cluster of 2 CPPMs and we have decided to not use the DATA interface anymore (for all the reasons that it shouldn't have been configured in the first place) therefore we unconfigured them on PUB and SUB. This reset the default route back to the MGMT interface, all is well except...My AD auth sources are not behaving correctly, I get errors like invalid username/password (even though we have reset it on AD and retyped it on CPPM) or Error: Couldn't kickstart handshaking.
Both CPPMs are joined to the domain. 2 out of the 4 AD auth sources are working. The 2 that are working have a Bind DN that is not a UPN. The other two use an account. I have tested that account via the CLI using the "ad auth" command and it returns succesful.
Everything worked prior to the removal of the DATA interface obviously because that interface communicated to AD.
Rebooting both CPPMs has not done anything. I have tried to reconfigure the AD Auth sources from scratch and have made sure the networking to get to those auth sources is correct. It discovers the netbios name but I can't search the Base DN.
We needed to add 2 more servers and those two are giving us that error Error: Couldn't kickstart handshaking.
Unable to connect to the server.Error: Couldn't kickstart handshaking
I am at a loss on how to resolve this....any ideas would be appreciated.
how did you remove the DATA interface configuration?
Via WEB GUI or via CLI?
I had a similar problem when i removed the data port configuration via WEB GUI. What I did to resolve the issue was to set the configuration again on the GUI and go via CLI to reset the interface configuration.
Hope this helps.
I removed it from the webui. I also removed the 2 auth sources that did not work and reconfigured them and I was able to search the tree. Saved the configuration. Went back into to see if I can surf it again and I get incorrect username / password....but on the CLI it works...
[appadmin@RSWIFICPPM01]# ad auth -u clearpass -n 11CHARCHIPELPassword:NT_STATUS_OK: The operation completed successfully. (0x0)[appadmin@RSWIFICPPM01]#
EDIT: 6.11.1 version
Original Message:Sent: Aug 28, 2023 08:28 PMFrom: pmonardoSubject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
Is this a physical server or virtual machine? IIRC with VMs there could be an issue with which MAC Address is the higher number? On my Lab VMS I enable both interfaces & CPPM uses the one it prefers. I have never configured both interfaces.
Just a long shot, but do any of the certs being used to communicate to your auth sources use the IP address that was assigned to the DATA port in the SAN field? Just looking for a connection between the DATA port and the certs/SSL as that is usually where an failure to kickoff handshaking would occur.
I opened a case and it actually ended up sending an incorrect password in the bindrequest. We modified the source back to use cleartext port 389 so we could see what was being sent.
Below is a pcap of the password it was sending.
The password was 16 characters long and only had an ! at the end of it. We changed it to something more simple that would would match the password policy set in AD.
We were able to browse the tree finally. Not sure why it was sending an incorrect password but that would need further investigation.
Changed the password to be 12 characters with a mix of alphanumeric and special characters and no issues. Maybe it didn't like the 16 character length?
Original Message:Sent: Aug 29, 2023 02:25 PMFrom: Bruce OsborneSubject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
------------------------------Bruce Osborne ACCP ACMPLiberty UniversityThe views expressed here are my personal views and not those of my employerOriginal Message:Sent: Aug 28, 2023 08:28 PMFrom: pmonardoSubject: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning
EDIT: So it didn't seem related to the removal of the DATA interface whatsoever on the surface
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.