AAA Server - AD user type

Datamail · May 3

HI, I have a question about an AD Server connection.

In the AAA Server, should the AD user be an administrator member or just a user?

Thank you !

zyman2008 · May 8

https://community.zyxel.com/en/discussion/comment/65407#Comment_65407

Yes, that's my understanding
My setup on USG FLEX 50 (firmware version 5.38) is using a domain users account on Domain Authentication for MSChap.

By default, AD domain users member has privilege to add computer into the AD(Join Domain).

My IKEv2 VPN with EAP-CHAPv2 authentication works without issue.

Zyxel_Jeff · May 6

Hi @Datamail

Thank you for your inquiry. The Active Directory (AD) user cannot be a member of the administrator group. From the firewall's perspective, the AD user is considered an external user. Thanks.

Datamail · May 6

https://community.zyxel.com/en/discussion/comment/65294#Comment_65294

Hi, thank you. I know that the AD user is considered as an external user. My question was, does this AD user must be an admin member of the Active Directory ? Or just a basic member.

In term of security, I don't want to enter this kind of user in the Zyxel firewall…

Thank you

Zyxel_Jeff · May 7

Hi @Datamai

Thank you for your clarification. Currently, the AD user cannot log in to the firewall to edit any settings. Don't worry about it. Thanks.

Datamail · May 7

https://community.zyxel.com/en/discussion/comment/65341#Comment_65341

My fear isn't that the AD user can or cannot log into the Zyxel, but I don't want that a vulnerability on the Zyxel could expose an AD user with privilege. All the AD informations and user password are entered on the Zyxel. Thanks

zyman2008 · May 7

Hi @Datamail ,

No administrator privileges required.

A user with read privilege for AD is enough.

By default, the domain users has the AD read privilege.

https://community.zyxel.com/en/discussion/22533/aaa-server-ad-user-type

Datamail · May 8

https://community.zyxel.com/en/discussion/comment/65359#Comment_65359

Hi, are you sure about it ? I noticed that I need an AD administrator for Domain Authentication for MSChap. If I enter a standard user, the vpn authentification fail.

Thank you

zyman2008 · May 8

Hi @Datamail,

https://community.zyxel.com/en/discussion/comment/65407#Comment_65407

Yes, that's my understanding
My setup on USG FLEX 50 (firmware version 5.38) is using a domain users account on Domain Authentication for MSChap.

By default, AD domain users member has privilege to add computer into the AD(Join Domain).

My IKEv2 VPN with EAP-CHAPv2 authentication works without issue.

AAA Server - AD user type

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center