USG FLEX H Series - AD Server Authentication

Zyxel_Richard
Zyxel_Richard Posts: 254  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
edited May 17 in Other Topics

USG FLEX H Series - AD Authentication

Overview

The USG FLEX H Series now supports AD (Active Directory) authentication for both IPsec VPN and SSL VPN users. This enhancement allows centralized user management and enhanced security by leveraging your existing AD infrastructure.

AD Authentication for VPN

Supported Authentication Methods

  • IPsec VPN: Uses EAP-MS-CHAPv2 for authentication.
  • SSL VPN: Can use either AD or LDAP for authentication. Note that LDAP does not support EAP-MS-CHAPv2, so it cannot be used for IPsec VPN.

Configuration Steps

1. Create a Domain Zone for AD Authentication

  • Ensure your firewall is configured to use your AD domain.
  • The firewall must join the Active Directory domain to authenticate users.

2. Set Up AD Server Authentication on the Firewall

  • Configure AD Server on Firewall:
    • Navigate to User & Authentication > User Authentication.
    • Select AD Server and click Add.
  • Join the Firewall to the Domain:
    • Enter the domain name (e.g., zicamp.com).
    • Provide the IP address of your AD server.
    • Click on Join Domain.
    • Enter the NetBIOS domain name, AD username, and password.

Note: The maximum number of characters for an AD hostname is 15.

Troubleshooting AD Join

  • Ensure the AD server is reachable.
  • Verify AD credentials.
  • Check firewall and AD server logs for more details.
  • Ensure the firewall's DNS settings point to the AD server.

Using AD for VPN Authentication

IPsec VPN Configuration

  • Configure IPsec VPN:
    • Navigate to VPN > IPsec VPN.
    • Set up IPsec VPN with AD authentication.
    • Ensure EAP MS-CHAPv2 is selected.
  • User Authentication:
    • Ensure users are created and managed in AD.
      • Users will authenticate using their AD credentials.

SSL VPN Configuration

  • Configure SSL VPN:
    • Navigate to VPN > SSL VPN.
    • Set up SSL VPN with AD authentication.
  • User Authentication:
    • Ensure users are created and managed in AD.
    • Users will authenticate using their AD credentials.

Limitations

  • Only one AD domain can be joined at a time.
  • Ensure your firewall is trusted by the AD server.
  • Regular LDAP does not support EAP MS-CHAPv2, hence it cannot be used for IPsec VPN.

Summary

Integrating AD authentication with your USG FLEX H Series firewall enhances security and simplifies user management by utilizing existing AD infrastructure. The steps involve configuring the AD server on the firewall, joining the firewall to the domain, and setting up VPN to use AD for user authentication.

If you encounter issues joining the domain or setting up AD authentication, refer to the provided CLI commands for troubleshooting and verify your AD server settings.

Tagged:

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)