L2TP VPN with Active Directory Authentication - Working but only with Admin accounts?

codea83 Posts: 2
First Comment
edited April 2021 in Security


On a ZyWALL 110 VPN device, I have a L2TP VPN set up and working. It's successfully authenticating AD domain users as long as they are in the Administrators group, even though I have it pointed at a "VPN Users" group on ad and don't have any mention of the Administrators group. 

Using the configuration tester in the ZyWall, it successfully checks users and reports back if they are in the correct group or not, but it still refuses to let them connect with a "This user is not authroized for remote login" error unless they are in the Administrators group. Once I add that same user who gets the not authorized error to the administrators group, it works just fine. If I remove them from the group, it stops working. What is going on? I'm sure I'm sure I'm missing something simple.




Accepted Solution

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @codea83  

    When USG authenticating with external server, allow or deny actions are defined by server side.

    You can try to add a group on AD server.

    And add a ext-group user object on USG.

    And apply it into L2TP setting.

    If authentication still fail, then please take a screenshot you tested in tester.

  • codea83
    codea83 Posts: 2
    First Comment
    Thanks for the reply! This looks like how we have it set up and still no luck. Only administrators are allowed to log in, here are my settings below:


    User not in group reports correctly:

    User in group reporting correctly:

    User setup correctly that CAN NOT log in unless I add her to the administrators group. This is when she isn't in the admin group. 

    Let me know if you need any other info. Thanks for your guidance! 

Security Highlight