USG FLEX H Series - Remote Access VPN with AD
USG FLEX H Series - Remote Access VPN with AD
Overview
The USG FLEX H Series firewalls now support Remote Access VPN authentication using Active Directory (AD). This enhancement allows centralized user management and improves security by leveraging your existing AD infrastructure for IPsec VPN and SSL VPN authentication.
Authentication Criteria
Primary and Secondary Authentication Servers
- Primary Server: The firewall queries this server first to authenticate VPN users.
- Secondary Server: If the primary server fails or is unreachable, the firewall queries the secondary server.
Note: At least one authentication server must be the local user database. This ensures a backup authentication method if external servers are unavailable, preventing user lockout from the device.
Setting Up Remote Access VPN with AD
Configure AD Server on Firewall:
- Navigate to User & Authentication > User Authentication.
- Select AD Server and click Add.
- Enter the AD server's IP address and domain.
- Input the admin credentials for the AD server.
Join the Firewall to the Domain:
- Navigate to User & Authentication > User Authentication > AD Server.
- Select the AD server profile and click Join Domain.
- Enter the NetBIOS domain name, AD admin username, and password.
- Click Apply.
Configure IPsec VPN:
- Navigate to VPN > IPsec VPN.
- Set up the IPsec VPN with AD authentication.
- Ensure EAP MS-CHAPv2 is selected.
Configure SSL VPN:
- Navigate to VPN > SSL VPN.
- Set up SSL VPN with AD authentication.
Authentication Flow
User Initiates VPN Connection:
- User connects to the VPN using their AD credentials.
Firewall Queries AD Server:
- The firewall sends an authentication request to the AD server.
- If the AD server is unreachable, the firewall queries the secondary server (local database).
Successful Authentication:
- If credentials are valid, the user gains access to the VPN.
- The user is redirected to a portal for two-factor authentication (if enabled).
Verifying Authentication
Check Login User Events:
- Navigate to Monitor > Logged-in Users.
- Users authenticated with AD will be listed with the type EAP CFG.
Check IPsec VPN Status:
- Navigate to Monitor > IPsec VPN > Remote Access VPN.
- Verify user sessions and connection details.
Additional Notes
- Local User Database Requirement: One of the authentication servers must always be the local user database to ensure access if external servers fail.
- Event Logs: For detailed logs, navigate to Log & Report > Event Logs and filter by Login User Events.
Summary
Integrating AD authentication with your USG FLEX H Series firewall enhances security and simplifies user management by utilizing existing AD infrastructure. This setup ensures that users can authenticate via AD for remote access VPN while maintaining a fallback to the local user database to prevent lockouts.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight