Authorization on AD group for L2TP does not pass

Niviteka · April 2020

Zywall 310 / fw 4.35 (AAAB.3)

For L2TP users, a local group (L2TP-VPN-users) in Zywall has been created, where those who are allowed access to VPN (allowed users) are placed.

AD authentication was configured, an ad-users internal user was added to the L2TP-VPN-users group. As a result, all users of the domain and local are authorized and connected.

But as soon as you try to allow authorization only for users belonging to a certain AD group (ext-group-user). Authorization fails ("disallowed user" in logs)

Group authorization is as follows - An AD-VPN user of the ext-group-user type is created. with settings defining the AD group. When testing inside the ext-group user test, the test passes - the status is OK.

The created user (AD-VPN) was added to the VPN allowed group (L2TP-VPN-users), and the ad-users built-in user was removed from the allowed group. After that, authorization through AD does not work.

Niviteka · April 2020

After update the newest weekly firmware (V4.35(AAAB.3)ITS-WK13-r92843) problem was solved.

Zyxel_Charlie · April 2020

@Niviteka
As your description,
can you check the account on AD is enabled?

Image: https://us.v-cdn.net/6029482/uploads/editor/nu/73r4px1z4led.jpg

Also, can I know do you login to the device GUI successfully via account?

Niviteka · April 2020

Account enabled.

I can to login to the device GUI successfully via AD account.

I can even connect to L2TP if I add the ad-user to the L2TP-VPN-users group, but then all domain users can join VPN.
I need so that only users of the VPN-users group in AD can connect to VPN.

Niviteka · April 2020

After update the newest weekly firmware (V4.35(AAAB.3)ITS-WK13-r92843) problem was solved.

Authorization on AD group for L2TP does not pass

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center