AD validated users - SSL VPN
I've tryed to get SSL VPN to work with AD validated users, but I keep getting incorrect password or inexistent username when testing.
The AD group is correctly configured, we used to use the same group when using L2TP, but after Apple shut down VPN passthrough support in iOS 10, we need another way to get in.
Isn't it possible using AD validated SSL VPN?
It's on a Zywall 310, newest firmware.
The AD group is correctly configured, we used to use the same group when using L2TP, but after Apple shut down VPN passthrough support in iOS 10, we need another way to get in.
Isn't it possible using AD validated SSL VPN?
It's on a Zywall 310, newest firmware.
0
All Replies
-
Hello.
i configured zywall 110 server AAA and checked user.
after created user with same name user in AD and choiced as user-type "ext-user"
after created group and added user for SSL GROUP.
When i connect with client, the users are authenticated from DC.
0 -
It shouldn't be necessary to create users manuelly, it should be enough to just setup the AD connector.
As i wrote, it worked perfectly for L2TP VPN, but it doesn't work with SSL VPN.
I don't want to create and maintain 100 SSL VPN users, when LDAP is possible.0 -
@Solutio
You need to confirm as below information
1. Select "ext-group-user" as your user type, and make sure the details of "CN,OU,DC" match with your AD server.
2. Go to AAA server>Active directory> Fill the information to make USG can communicate with you AD server. Also, you can test your account on "Configuration Validation" field.
3. Select the user profile which you created for SSL VPN
Here is example from FAQ as your reference.
https://businessforum.zyxel.com/discussion/1011/how-to-configure-usg-series-to-authenticate-ssl-vpn-client-with-microsoft-active-directory/p1?new=1
May I know which Server are you using?
Charlie
1 -
Hi Charlie, and thank you for your reply.
I've been Out of Office - sorry for the delay.
As mentioned, the group is correctly setup as above, I can test users OK.
It's the same group that was used to validate users with L2TP VPN, before iOS disabled VPN passthrough - it has always worked.
The server is a Windows server 2016
0 -
@Solutio
Regarding to your request " SSL VPN work with Windows server 2016 AD" which is not supported on the USG Series so far. We still evaluate this enhancement.
Charlie
0 -
Hello, today I encountered the same phenomenon with an USG20-VPN (V4.31) and Windows Server 2016 Standard DC (1607 build 14393.2214), so I would also be delighted to hear about a solution to that "enhancement". Still I may offer a small contribution to this topic, because in January for another customer with the same model USG20-VPN except for the firmware V4.25 authentication against a Windows 2016 AD with SecuExtender 4.0.2.0 worked like a charm (then and today the domain function levels are Windows Server 2016). So maybe the faulty "enhancement" not so much lies at Windows 2016 but happened with the ZLD upgrade to 4.3x…?
Because I also tested the configuration with 4.30 today and got the same errors. So I’m looking forward to ZLD 4.31(ABAQ1) or even 4.32… until then we will keep V4.25 on our own USG110 to have a functioning SSL VPN.
Or maybe I’ll try V4.31 on the standby firmware slot – if I manage to find the time, I’ll post the results. So long!
Ferro0 -
Hello again, and I have to apologize and take back what I wrote before: I found the error in my config! During testing with V4.25 on the standby firmware I stumbled over a setting that I wasn’t sure I had changed under V4.31: "Configuration -> Objects -> Auth. Method" was still set to "local", so the USG just checked its local user databse and never contacted the AD! In my config there is just the object "default", which had to be edited, and the "Method list" changed to "group ad": Testing under V4.25 went fine, so I switched back to the V4.31 Firmware and latest startup-config, checked the "Auth. Method" and it also was at "local".
After selecting "group ad" I got no errors anymore and was able to connect to the LAN. @Solutio: if you are still in need of a solution, check this Setting - it hides itself well, at least from my eyes
There can be more than one Auth. Method, so maybe you had an extra one for L2TP.
But SSL-VPN seems to use "Configuration -> System -> Auth. Server", and there the standard general setting for "Auth. Method" is "default": Found that connection by way of the very useful function "Object References": helps also with finding dependency errors, when one tries to delete an object still in use… Greetz
Ferro0 -
Zyxel_Charlie said:@Solutio
You need to confirm as below information
1. Select "ext-group-user" as your user type, and make sure the details of "CN,OU,DC" match with your AD server.
2. Go to AAA server>Active directory> Fill the information to make USG can communicate with you AD server. Also, you can test your account on "Configuration Validation" field.
3. Select the user profile which you created for SSL VPN
Here is example from FAQ as your reference.
https://businessforum.zyxel.com/discussion/1011/how-to-configure-usg-series-to-authenticate-ssl-vpn-client-with-microsoft-active-directory/p1?new=1
May I know which Server are you using?
Charlie
I can't get my group identifier to work for the "ext-group-user".
Does this have to match the AAA server setting?
I am using this formula:
Bind DN: cn=administrator,cn=users,dc=cso,dc=net
But I keep getting the error: user does not belong to this group.
I notice in your example you have CN=SSL_VPN_Access.
Is this a user you created in AD?0 -
@kboroumand
You need to create the group and account on AD first.
For configuration on the ext-group-user,
you can follow the below example.
On AD Server, you need to also create the group
The configuration of Bind DN on AAA server setting,
CN=Administrator(account which login ad server),CN=Users, DC=usg,DC=com
Charlie
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight