nested user group not working for l2tp authentication

Options
SiSZyComm
SiSZyComm Posts: 10
First Anniversary First Comment
edited January 2023 in Security
Hello
IMHO nested user groups do not work for L2TP authentication. Let me explain:
Say I have 4 users:
  • l2tpUserHome1
  • l2tpUserHome2
  • l2tpUserWork1
  • l2tpUserWork2
and the following groups:
  • l2tpGroupHome containing users l2tpUserHome1, l2tpUserHome2
  • l2tpGroupWork containing users: l2tpUserWork1, l2tpUserWork2
  • l2tpGroupAllowed containing the groups l2tpGroupHome, l2tpGroupWork
If I set Configuration > VPN > L2TP VPN > "Allowed User:" to "l2tpGroupAllowed" the L2TP Authentication fails with an error message (for chronological order read from bottom to top):

Although I got before the following success message:
Dynamic Tunnel [XXXX:YYYY:0x124567a] built successfully


(same color = same text)
If I configure e.g. "l2tpGroupHome" or "l2tpGroupWork" for "Allowed User" in the L2TP VPN configuration the "authentication" works (vpn tunnel is established).As soon as I switch back to "l2tpGroupAllowed" there is no tunnel established. I doesn't matter which user I user - none work. 

We need those groups to block e.g. l2tp user from "l2tpGroupHome" to access LAN1 interface or a special IP-range.
Any idea what the problem is?
The firewall is a USG210 with V4.39(AAPI.0)
As client I use the built-in Windows 10 L2TP vpn client.

All Replies

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    SiSZyComm
    I cannot reproduce this behavior.
    I have the same user group settings.

    And create L2TP VPN configure via Quick Setup and then change the Allowed User to l2tpGroupAllowed

    The result is a sccuess


    Could you upgrade to the latest firmware version V4.73 and try again? thanks.

    James

Security Highlight