Can't get AAA Server -> Active Directory to work
Freshman Member
I'm trying to set up AD user validation for SSL VPN connections.
I have earlier succeeded this on a VPN50, and a Windows SBS connected to same subnet, if that matters.
Now I'm trying to set up a VPN100 located at our office location, to validate users on a Windows Server 2016 DC, located at our external hosting partner.
I have filled in server address (primary DC IP), backup server address (backup DC IP), Base DN, Bind DN and password, but when using the configuration validation option in the bottom, I reciewe a "Wrong IP or Port" as result.
As I can identify, the default port (389) has not been changed on the DC.
Before I suggest that something must be wrong at our hosting partner, I would like to be quite sure, that I have made the configuration proper.
When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see something?
Every suggestions on what could be wrong appreciated.
BR Ole.
Accepted Solution
-
Hi @OWB
Can you ping from the device the server successfully?
Or you may try to add a static route as below:
As an AD client role, the device will mainly to verify if the account is valid or not.
Regarding to the failure reason, we need your help to check the log on the AD server, meanwhile, can you collect the packets and share with us when you’re running AD authentication?
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
1
Zyxel Employee
All Replies
-
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Thanks @Zyxel_Jerry
Yes, guess I can. Should I just download "startup-config.config and attach it to a private message to you?
BR Ole.
0 -
Hi @OWB
I’ve checked your configuration, there is no problem with it,
The previous you mentioned that after performing the “configuration validation” the result show ” Wrong IP or PORT”.
Could you please check the connection on VPN tunnel?
Could you ping the IP address of the server ?
If it still cannot connect to the server, try to disable the firewall rule and ping server again.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Hi Jerry,
No problem, I can ping the DC, and the VPN is definitely running. All of our local IT (Microsoft Outlook, network shares, print etc.) is using servers in "the other end" of the VPN.
In the beginning, I did suspekt that the DC was set up to user other than default port (389), but from what I can identify, it seems not to be the issue.
When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see some log entry in Monitor->Log, even it has failed or not?
BR O
0 -
Hi @OWB
Can you ping from the device the server successfully?
Or you may try to add a static route as below:
As an AD client role, the device will mainly to verify if the account is valid or not.
Regarding to the failure reason, we need your help to check the log on the AD server, meanwhile, can you collect the packets and share with us when you’re running AD authentication?
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
1 -
Hi Jerry,
Apologies for my absence.
Thanks a lot, setting the static route as suggested did the trick, it's now working. :-)
BR O
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
