L2TP VPN with Active Directory Authentication - Working but only with Admin accounts?
Hello!
On a ZyWALL 110 VPN device, I have a L2TP VPN set up and working. It's successfully authenticating AD domain users as long as they are in the Administrators group, even though I have it pointed at a "VPN Users" group on ad and don't have any mention of the Administrators group.
Using the configuration tester in the ZyWall, it successfully checks users and reports back if they are in the correct group or not, but it still refuses to let them connect with a "This user is not authroized for remote login" error unless they are in the Administrators group. Once I add that same user who gets the not authorized error to the administrators group, it works just fine. If I remove them from the group, it stops working. What is going on? I'm sure I'm sure I'm missing something simple.
Thanks!
Chris
Accepted Solution
-
Hi @codea83
After checked screenshots, it looks all of the configuration on ZyWALL is correct.
But AD server still deny authentication which user is not belonging to domain-admin group. (Maybe is coming from GPO configuration or others).
You may need consult with Microsoft support according to Authentication privilege between different groups.
5
All Replies
-
Hi @codea83
When USG authenticating with external server, allow or deny actions are defined by server side.
You can try to add a group on AD server.
And add a ext-group user object on USG.
And apply it into L2TP setting.
If authentication still fail, then please take a screenshot you tested in tester.
0 -
Thanks for the reply! This looks like how we have it set up and still no luck. Only administrators are allowed to log in, here are my settings below:
Settings:
User not in group reports correctly:
User in group reporting correctly:
User setup correctly that CAN NOT log in unless I add her to the administrators group. This is when she isn't in the admin group.
Let me know if you need any other info. Thanks for your guidance!0 -
Hi @codea83
After checked screenshots, it looks all of the configuration on ZyWALL is correct.
But AD server still deny authentication which user is not belonging to domain-admin group. (Maybe is coming from GPO configuration or others).
You may need consult with Microsoft support according to Authentication privilege between different groups.
5
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight