USG FLEX H Series - Remote Access VPN with AD

Zyxel_Richard

USG FLEX H Series - Remote Access VPN with AD

Overview

The USG FLEX H Series firewalls now support Remote Access VPN authentication using Active Directory (AD). This enhancement allows centralized user management and improves security by leveraging your existing AD infrastructure for IPsec VPN and SSL VPN authentication.

Authentication Criteria

Primary and Secondary Authentication Servers

• Primary Server: The firewall queries this server first to authenticate VPN users.
• Secondary Server: If the primary server fails or is unreachable, the firewall queries the secondary server.

Note: At least one authentication server must be the local user database. This ensures a backup authentication method if external servers are unavailable, preventing user lockout from the device.

Setting Up Remote Access VPN with AD

Configure AD Server on Firewall:

• Navigate to User & Authentication > User Authentication.
• Select AD Server and click Add.
• Enter the AD server's IP address and domain.
• Input the admin credentials for the AD server.

Join the Firewall to the Domain:

• Navigate to User & Authentication > User Authentication > AD Server.
• Select the AD server profile and click Join Domain.
• Enter the NetBIOS domain name, AD admin username, and password.
• Click Apply.

Configure IPsec VPN:

• Navigate to VPN > IPsec VPN.
• Set up the IPsec VPN with AD authentication.
• Ensure EAP MS-CHAPv2 is selected.

Configure SSL VPN:

• Navigate to VPN > SSL VPN.
• Set up SSL VPN with AD authentication.

Authentication Flow

User Initiates VPN Connection:

• User connects to the VPN using their AD credentials.

Firewall Queries AD Server:

• The firewall sends an authentication request to the AD server.
• If the AD server is unreachable, the firewall queries the secondary server (local database).

Successful Authentication:

• If credentials are valid, the user gains access to the VPN.
• The user is redirected to a portal for two-factor authentication (if enabled).

Verifying Authentication

Check Login User Events:

• Navigate to Monitor > Logged-in Users.
• Users authenticated with AD will be listed with the type EAP CFG.

Check IPsec VPN Status:

• Navigate to Monitor > IPsec VPN > Remote Access VPN.
• Verify user sessions and connection details.

Additional Notes

• Local User Database Requirement: One of the authentication servers must always be the local user database to ensure access if external servers fail.
• Event Logs: For detailed logs, navigate to Log & Report > Event Logs and filter by Login User Events.

Summary

Integrating AD authentication with your USG FLEX H Series firewall enhances security and simplifies user management by utilizing existing AD infrastructure. This setup ensures that users can authenticate via AD for remote access VPN while maintaining a fallback to the local user database to prevent lockouts.