VPNSSL AD authentication problem





Good morning,I can't add an "ext-group-users" with AD authentication, in the access user to a vpnssl, I can insert a group that contains "ext-group-users" but I am not authenticated
All Replies
-
Hi @andrealemmi ,
I have exactly the same problem on a USG FLEX 700 (non "H") . This happens only with firmware version 5.40.
up to firmware version 5.39.1 this works fine.
with model USG FLEX 500 and Firmware 5.40 authentication works fine
which model / firmware you have?
0 -
I have a usg-flex100h with firmware V1.32(ABXF.0)
0 -
Hi @andrealemmi,
Since this is USG FLEX H category, I assume your firewall is H series. I did a local lab that I can add an extent-group-user and use this user to connect SSL VPN. Do you add your user to SSL VPN > authentication > user list? You may follow this video to learn how to configure.
https://jam.dev/c/14a321b4-acc0-434e-8fe6-b71503dc943a
P.S. Currently, extent-group-user object is not selectable in the authentication user list. You need to create a group and add the user to this group.
If your issue is on other setting/page, please describe more details and share some screenshot, so we can better know your issue and help to resolve.
Zyxel Melen0 -
thanks for the reply.in the images the configuration of ext-group-users, group and vpn. if I do the user test on ext-group-users it tells me that the user belongs to the domain group, if I connect with openvpn it tells me authentication failed.
0 -
Hi @andrealemmi
In my lab, I didn't get this message "the user belongs to the domain group", also, I can connect with openSSL without issue.
I want to clarify with you:
- Does this user VPN_DC is a member under this group identifier?
- Can your firewall connect to the AD server?
- What's the error message about the SSL VPN connection failure?
Zyxel Melen0 -
Hello,
1- VPN_DC is an ext-group-user of the firewall usgflex100h. VPN_DC is as a group identification of the DC has the security group VPN_USER. The security group VPN_USER of the DC has as a member the user with whom I try to connect.
2- the firewall is connected to the domain, it has done the join, I see it in the OU "Computer" of the DC, in the windows security log I see the authentication request
3- the error is of authentication failed:
0 -
Hi @andrealemmi,
Thanks for your update.
Could you provide the remote access for us to check this issue? Also, we need the VPN account/password for testing. I will send you a private message for these information.
Zyxel Melen0 -
Hi Melen,I replied to your private message, did you see?
0 -
Hi @andrealemmi,
Yes, I saw your reply. I checked with our team and got informed that remote access VPN with AD ext-group user, IPSec and SSL VPN, has issue. Typically, the VPN will not connect although you enter the correct user/password. Although I can connect in previous, but I can't connect in another topology.
I'm checking when will this issue been fixed. I will update you once I get further information.
Zyxel Melen0 -
Update:
This issue will be fixed/enhanced in the next firmware release (Next is V1.35). Please follow new release category to get the new firmware release info~
Zyxel Melen0
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 425 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight