USG Flex - ALL. Username limit too short and \ character restriction.
Using L2TP VPN on Flex 200 (situation is the same with all Flex and previous USG range). We specifically DO NOT want to use RADIUS as not all VPN users are allowed to "see" AD - e.g. remote monitoring of CCTV or engineering machine monitoring/management.
Take the (fictitious)example of:
On prem AD and Exchange server, email domain name "@coilwindingtech.co.uk"
AD domain is UK1.coilwindingtech.co.uk, a user logon name (UPN) is christopher.rushland@coilwindingtech.co.uk or uk1\christopher.rushland
We cannot use either of those user names in Flex as Flex has a maximum of 31 characters in the user name and also does not support use of a backslash in the username, so we have had to set a different user name or truncate it.
Why this is a problem: The user connects the L2TP VPN successfully, then launches Outlook (2019 - which has all been set up and working whilst his laptop was in the works office). By default, Microsoft (Outlook) now attempts to authenticate to Exchange using the credentials that were used to connect the VPN instead of using the correct credentials that should have been cashed. User does not notice the name entered on the Outlook credential prompt so just types the password he knows is correct, but Outlook still refuses to connect, so he types the password once more and this time, his AD account is locked due to the account lockout threshold (needed security). There is a fix for this which is to edit the rasphone entry on the laptop and tell it not to use the VPN credentials for authentication to any other app.
(Quote: Go to %username%\AppData\Roaming\Microsoft\Network\Connections\PbkOpen file rasphone.pbk with notepadChange value of "UseRasCredentials" 1 to 0)
Easy enough when you have just a few remote users, but when you have many, it becomes a problem.
I suggest (and request) the proper fix would be (since Microsoft won't change their coding) to increase USG Flex user name limit to 48 or 64 characters and/or allow the use of the backslash character in usernames. Then user's AD user name can be used for their Flex user name too (where appropriate) and the problem will go away.
Thoughts anyone?
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight