Use Azure Active Directory to authenicated VPN access

sfdev
sfdev Posts: 2
First Anniversary First Comment
edited April 2021 in Security

Hello Zyxel team, Hello community,

we are a Start-up/SMB company. In our case we don't have the need to run an AD server in our local infrastructure. Right now, we are managing our entire active directory service over the Azure cloud. This shouldn't surprise anyone, Microsoft is pushing more and more companies into the Microsoft/Office 365 cloud eco-system.

My question: Is there any documented way how to connect an VPN with the Azure Active Directory? My goal is to use the Microsoft/Office 365 account to authenticate/establish a VPN connection without handing out additional VPN user accounts to my team.

Just to clarify: I am not talking about renting a bare metal server on Azure with an own installed ADS service on it. I am talking about the “Azure Active Directory” which comes with every Microsoft/Office 365 business account.

The best information regarding that issue is the following article from the knowledge base:
https://support.zyxel.eu/hc/en-us/articles/360001391154

But this article seems tailored to a local AD setup rather than the Azure Active Directory.

 Problems I struggle when I follow the article above:

  • General “Server Setting” for the AAA Server config. I am not sure what IP or port is used for the Azure AD. Sure I have a registered domain in the Azure account and Microsoft also has the default domain name (companyxyz.onmicrosoft.com), but I have the feeling that the domain names (FQDN) gets not recognized in my testing. Base DN settings shouldn’t be the problem I just adapted this from my domain name.
  • Regarding the “Domain Authentication for MSChap” I am also not sure if this is necessary in the Azure AD scenario, so I didn’t touch it.
  • Configuration Validation is a problem for me. As far I know/recognized Microsoft is using the mail addresses as usernames for authentication. Maybe it is naive, but as a Microsoft/Office 365 user it is naturally to use the email as username. In my case, I can not fit the email address into the validator, because the field has a character limit.

When I enter any username in the validator, I get the test status / error message : “Wrong IP or Port.” This is way I assume the server setting dosen’t work with the Azure Active Directory.

I am glad if anyone has an idea or solution for this issue.

Best,

Stefan

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    What I know is Zyxel firewall support external authentication via LDAP/RADIUS protocol.

    So I don't think Zyxel firewall support native Azure AD.
    Since that's need to support SAML authentication.

    Azure AD DS can support LDAPs over Internet.
    So that Azure AD DS sync. with Azure AD might have a chance to support.
    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ldap

    But it not suite for SMB because of its cost and complexity.

  • sfdev
    sfdev Posts: 2
    First Anniversary First Comment
    edited March 2021
    Hi Zyman,

    thank your for your message, but regarding the Zyxel Knwolege Base this should be possible:

    On my research I have seen Ci*co has a solution called AnyConnect which is able to handel "Azure Active Directory" connects in an SSO context.

    Any further ideas how this could work with Zyxel devices?
  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Cisco ASA + Anyconnect works because of it support SAML, which Azure AD native support.
    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect

    Zyxel device doesn't support SAML but support LDAPs.
    So that need to use Azure AD DS integrate with Azure AD. 
    Azure AD DS support LDAPs.

  • Did anyone find a working solution yet?
    Zyxel Support just confirmed to me that they do not support Microsoft 365 AD authentication.
  • Podo
    Podo Posts: 28  Freshman Member
    It looks like you can't implement this.
    Zyxel also don't support Azure Cloud AD

    Maybe try traditional AD DC instead ?

Security Highlight