VPNSSL AD authentication problem

Options
andrealemmi
andrealemmi Posts: 12  Freshman Member
First Comment Sixth Anniversary Nebula Gratitude

Good morning,I can't add an "ext-group-users" with AD authentication, in the access user to a vpnssl, I can insert a group that contains "ext-group-users" but I am not authenticated

All Replies

  • rv_faro
    rv_faro Posts: 3  Freshman Member
    First Comment Friend Collector

    Hi @andrealemmi ,

    I have exactly the same problem on a USG FLEX 700 (non "H") . This happens only with firmware version 5.40.

    up to firmware version 5.39.1 this works fine.

    with model USG FLEX 500 and Firmware 5.40 authentication works fine

    which model / firmware you have?

  • andrealemmi
    andrealemmi Posts: 12  Freshman Member
    First Comment Sixth Anniversary Nebula Gratitude

    I have a usg-flex100h with firmware V1.32(ABXF.0)

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,522  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @andrealemmi,

    Since this is USG FLEX H category, I assume your firewall is H series. I did a local lab that I can add an extent-group-user and use this user to connect SSL VPN. Do you add your user to SSL VPN > authentication > user list? You may follow this video to learn how to configure.

    https://jam.dev/c/14a321b4-acc0-434e-8fe6-b71503dc943a

    P.S. Currently, extent-group-user object is not selectable in the authentication user list. You need to create a group and add the user to this group.

    If your issue is on other setting/page, please describe more details and share some screenshot, so we can better know your issue and help to resolve.

    Zyxel Melen


  • andrealemmi
    andrealemmi Posts: 12  Freshman Member
    First Comment Sixth Anniversary Nebula Gratitude
    ext group users.JPG user group.JPG vpnssl config.JPG

    thanks for the reply.in the images the configuration of ext-group-users, group and vpn. if I do the user test on ext-group-users it tells me that the user belongs to the domain group, if I connect with openvpn it tells me authentication failed.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,522  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited June 9

    Hi @andrealemmi

    In my lab, I didn't get this message "the user belongs to the domain group", also, I can connect with openSSL without issue.

    image.png image.png

    I want to clarify with you:

    1. Does this user VPN_DC is a member under this group identifier?
    2. Can your firewall connect to the AD server?
    3. What's the error message about the SSL VPN connection failure?
    Zyxel Melen


  • andrealemmi
    andrealemmi Posts: 12  Freshman Member
    First Comment Sixth Anniversary Nebula Gratitude

    Hello,

    1- VPN_DC is an ext-group-user of the firewall usgflex100h. VPN_DC is as a group identification of the DC has the security group VPN_USER. The security group VPN_USER of the DC has as a member the user with whom I try to connect.

    2- the firewall is connected to the domain, it has done the join, I see it in the OU "Computer" of the DC, in the windows security log I see the authentication request

    3- the error is of authentication failed:

    error.png
                            
  • Zyxel_Melen
    Zyxel_Melen Posts: 3,522  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @andrealemmi,

    Thanks for your update.

    Could you provide the remote access for us to check this issue? Also, we need the VPN account/password for testing. I will send you a private message for these information.

    Zyxel Melen


  • andrealemmi
    andrealemmi Posts: 12  Freshman Member
    First Comment Sixth Anniversary Nebula Gratitude

    Hi Melen,I replied to your private message, did you see?

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,522  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @andrealemmi,

    Yes, I saw your reply. I checked with our team and got informed that remote access VPN with AD ext-group user, IPSec and SSL VPN, has issue. Typically, the VPN will not connect although you enter the correct user/password. Although I can connect in previous, but I can't connect in another topology.

    I'm checking when will this issue been fixed. I will update you once I get further information.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 3,522  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited June 30

    Update:

    This issue will be fixed/enhanced in the next firmware release (Next is V1.35). Please follow new release category to get the new firmware release info~

    Zyxel Melen