USG 110 VPN VPN access with domain users

alexpe · January 2

hi,

I am configuring L2TP VPN access with AD users.

Within the AAA Server configuration I have configured access to the domain, I do a test with the user "Alejandro" and it is OK.

I have configured an L2TP VPN connection and with a local user in the USG it works without problem.

I have created a global security group in my company's AD and I have added the domain user "Alejandro". Within the USG configuration I have created a user to the domain security group.

In the VPN connection settings I select that group for access. When connecting the VPN it gives an error.

I review the USG LOG and it indicates that the name or username is incorrect (and the username or password is correct)

Even though the connection user puts it with the domain name in front in the LOG, the same error occurs.

Where could the error be?

Thank you very much in advance for your help.

smb_corp_user · January 3

Sorry that I do not know the exact answer here. If I had this issue, I would have looked for a way to get a Debug Log to verify the exact username and password received by the USG, to find out if it is receiving a different kind of user information than the intended username & password combination.

alexpe · January 3

hi,

I don't know what the problem is exactly either. Apparently everything is correct, even the username and password are correct in an RDP session. In the log of my USG it can be seen perfectly how the user until the USG arrives but does not validate it.

I don't know very well what to do anymore.

smb_corp_user · January 3

I have no personal experience in this setup or how the USG gets the AD information, so I can only suggest the simplest of things. Just as a last ditch effort, try to set a very simple password (e.g. pass1234) to avoid any incorrect communication of the password information to the USG.

Other than that, I can only hope for some feedback from the Zyxel team members.

PCBjorn · January 3

This started happening with us over the holidays. Two sites that used to authenticate using AD now fail to do so.

As a temporary fix we have set up Nebula Authentication instead, but this seems to be an issue either on Microsoft's or ZyXel's side, not ours.

I suggest you create a support ticket, then share your findings here in the forum.

alexpe · January 3

Thanks for your comments, but this way of authenticating through AD is new before I only used local authentication.

As I indicated above in my first post, in the USG tests the AD is correct, but when I test it with a PC it gives an incorrect username and password error (and they are correct.

I think my problem comes with the username I set in the VPN settings on the PC.

alexpe · January 3

I have performed the following test: I have changed the default authentication method and added the "AD group" and I have tried logging into the USG itself with a domain user and it accesses without problem. Communication with the AD is correct.

But when connecting with the VPN it still indicates the wrong username and password. I understand that for some reason the domain controller is rejecting the login.

Can anybody help me?