AD validated users - SSL VPN

Solutio
Solutio Posts: 3  Freshman Member
First Comment
edited April 2021 in Security
I've tryed to get SSL VPN to work with AD validated users, but I keep getting incorrect password or inexistent username when testing.
The AD group is correctly configured, we used to use the same group when using L2TP, but after Apple shut down VPN passthrough support in iOS 10, we need another way to get in.

Isn't it possible using AD validated SSL VPN?
It's on a Zywall 310, newest firmware.

All Replies

  • maurixone
    maurixone Posts: 7  Freshman Member
    First Anniversary First Comment
    Hello.
    i configured zywall 110 server AAA and checked user.
    after created user with same name user in AD and choiced as user-type "ext-user"
    after created group and added user for SSL GROUP.
    When i connect with client, the users are authenticated from  DC.



  • Solutio
    Solutio Posts: 3  Freshman Member
    First Comment
    It shouldn't be necessary to create users manuelly, it should be enough to just setup the AD connector.
    As i wrote, it worked perfectly for L2TP VPN, but it doesn't work with SSL VPN.
    I don't want to create and maintain 100 SSL VPN users, when LDAP is possible.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Solutio
    You need to confirm as below information
    1. Select "ext-group-user" as your user type, and make sure the details of "CN,OU,DC" match with your AD server.

    2. Go to AAA server>Active directory> Fill the information to make USG can communicate with you AD server. Also, you can test your account on "Configuration Validation" field. 

    3. Select the user profile which you created for SSL VPN

    Here is example from FAQ as your reference.
    https://businessforum.zyxel.com/discussion/1011/how-to-configure-usg-series-to-authenticate-ssl-vpn-client-with-microsoft-active-directory/p1?new=1

    May I know which Server are you using?

    Charlie

  • Solutio
    Solutio Posts: 3  Freshman Member
    First Comment
    Hi Charlie, and thank you for your reply.
    I've been Out of Office - sorry for the delay.

    As mentioned, the group is correctly setup as above, I can test users OK.

    It's the same group that was used to validate users with L2TP VPN, before iOS disabled VPN passthrough - it has always worked.


    The server is a Windows server 2016

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Solutio

    Regarding to your request " SSL VPN work with Windows server 2016 AD" which is not supported on the USG Series so far. We still evaluate this enhancement.

    Charlie

  • Ferro50
    Ferro50 Posts: 3  Freshman Member
    First Anniversary Friend Collector First Comment
    Hello, today I encountered the same phenomenon with an USG20-VPN (V4.31) and Windows Server 2016 Standard DC (1607 build 14393.2214), so I would also be delighted to hear about a solution to that "enhancement". Still I may offer a small contribution to this topic, because in January for another customer with the same model USG20-VPN except for the firmware V4.25 authentication against a Windows 2016 AD with SecuExtender 4.0.2.0 worked like a charm (then and today the domain function levels are Windows Server 2016). So maybe the faulty "enhancement" not so much lies at Windows 2016 but happened with the ZLD upgrade to 4.3x…?
    Because I also tested the configuration with 4.30 today and got the same errors. So I’m looking forward to ZLD 4.31(ABAQ1) or even 4.32… until then we will keep V4.25 on our own USG110 to have a functioning SSL VPN.
    Or maybe I’ll try V4.31 on the standby firmware slot – if I manage to find the time, I’ll post the results. So long!
    Ferro

  • Ferro50
    Ferro50 Posts: 3  Freshman Member
    First Anniversary Friend Collector First Comment
    edited May 2018
    Hello again, and I have to apologize and take back what I wrote before: I found the error in my config! During testing with V4.25 on the standby firmware I stumbled over a setting that I wasn’t sure I had changed under V4.31: "Configuration -> Objects -> Auth. Method" was still set to "local", so the USG just checked its local user databse and never contacted the AD! In my config there is just the object "default", which had to be edited, and the "Method list" changed to "group ad":

    Testing under V4.25 went fine, so I switched back to the V4.31 Firmware and latest startup-config, checked the "Auth. Method" and it also was at "local".
    After selecting "group ad" I got no errors anymore and was able to connect to the LAN. @Solutio: if you are still in need of a solution, check this Setting - it hides itself well, at least from my eyes B)
    There can be more than one Auth. Method, so maybe you had an extra one for L2TP.
    But SSL-VPN seems to use "Configuration -> System -> Auth. Server", and there the standard general setting for "Auth. Method" is "default": Found that connection by way of the very useful function "Object References": helps also with finding dependency errors, when one tries to delete an object still in use… ;) Greetz
    Ferro
  • @Solutio
    You need to confirm as below information
    1. Select "ext-group-user" as your user type, and make sure the details of "CN,OU,DC" match with your AD server.

    2. Go to AAA server>Active directory> Fill the information to make USG can communicate with you AD server. Also, you can test your account on "Configuration Validation" field. 

    3. Select the user profile which you created for SSL VPN

    Here is example from FAQ as your reference.
    https://businessforum.zyxel.com/discussion/1011/how-to-configure-usg-series-to-authenticate-ssl-vpn-client-with-microsoft-active-directory/p1?new=1

    May I know which Server are you using?

    Charlie

    Hi Charlie,
    I can't get my group identifier to work for the "ext-group-user".
    Does this have to match the AAA server setting?
    I am using this formula:
    Bind DN: cn=administrator,cn=users,dc=cso,dc=net
    But I keep getting the error: user does not belong to this group.
    I notice in your example you have CN=SSL_VPN_Access.
    Is this a user you created in AD?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @kboroumand
    You need to create the group and account on AD first.
    For configuration on the ext-group-user,
    you can follow the below example.

    On AD Server, you need to also create the group
     
    The configuration of Bind DN on AAA server setting, 
    CN=Administrator(account which login ad server),CN=Users, DC=usg,DC=com

    Charlie


Security Highlight