Can't get AAA Server -> Active Directory to work

OWB
OWB Posts: 24  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security

I'm trying to set up AD user validation for SSL VPN connections.

I have earlier succeeded this on a VPN50, and a Windows SBS connected to same subnet, if that matters.

Now I'm trying to set up a VPN100 located at our office location, to validate users on a Windows Server 2016 DC, located at our external hosting partner.

I have filled in server address (primary DC IP), backup server address (backup DC IP), Base DN, Bind DN and password, but when using the configuration validation option in the bottom, I reciewe a "Wrong IP or Port" as result.

As I can identify, the default port (389) has not been changed on the DC.

Before I suggest that something must be wrong at our hosting partner, I would like to be quite sure, that I have made the configuration proper.

When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see something?

Every suggestions on what could be wrong appreciated.

BR Ole.

Accepted Solution

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @OWB

    Can you ping from the device the server successfully?

    Or you may try to add a static route as below:

    As an AD client role, the device will mainly to verify if the account is valid or not.

    Regarding to the failure reason, we need your help to check the log on the AD server, meanwhile, can you collect the packets and share with us when you’re running AD authentication?

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @OWB

    Welcome to Zyxel community 

    Could you private message your configuration for check further?

     

  • OWB
    OWB Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector

    Thanks @Zyxel_Jerry

    Yes, guess I can. Should I just download "startup-config.config and attach it to a private message to you?

    BR Ole.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @OWB

    I’ve checked your configuration, there is no problem with it,

    The previous you mentioned that after performing the “configuration validation” the result show ” Wrong IP or PORT”.

    Could you please check the connection on VPN tunnel?

    Could you ping the IP address of the server ?

    If it still cannot connect to the server, try to disable the firewall rule and ping server again.

  • OWB
    OWB Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector

    Hi Jerry,

    No problem, I can ping the DC, and the VPN is definitely running. All of our local IT (Microsoft Outlook, network shares, print etc.) is using servers in "the other end" of the VPN.

    In the beginning, I did suspekt that the DC was set up to user other than default port (389), but from what I can identify, it seems not to be the issue.

    When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see some log entry in Monitor->Log, even it has failed or not?

    BR O

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @OWB

    Can you ping from the device the server successfully?

    Or you may try to add a static route as below:

    As an AD client role, the device will mainly to verify if the account is valid or not.

    Regarding to the failure reason, we need your help to check the log on the AD server, meanwhile, can you collect the packets and share with us when you’re running AD authentication?

  • OWB
    OWB Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector

    Hi Jerry,

    Apologies for my absence.

    Thanks a lot, setting the static route as suggested did the trick, it's now working. :-)

    BR O

Security Highlight