|
USG100 L2TP/IPSec not authenticating with Active DirectoryFollowed a lot of the guides/posts here to get the L2TP/IPsec up and running. It works fine with users I create on the gateway. Now that I'm trying to implement the Active Directory authentication, I'm not having any luck. I used the Zyxel SSL VPN AD Guide, from my understanding the only difference is the Ext-Group-User won't work with L2TP/Ipsec.
Changing the known working L2TP/IPsec config to this:
VPN > L2TP VPN --> Auth. Method: AD-VPN, Allowed User: ad-Users
Object > AAA Server --> LVADWIN01 (server on 192.168.25.) configured, tests properly at the bottom (can retrieve user)
Object > Auth. Method --> AD-VPN, group LVADWIN01
VPN users pull from a 192.168.250.0 pool AD server is on 192.168.25.0
The logs show phase 1 completing, and tunnel built successfully right before a disconnect, tunnel deletion. User hangs at "Verifying username and password .." - error 619.
Firmware is 3.00(AQQ.4)
Thoughts? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jun-21 10:39 pm
I have not played with AD but for what it's worth I've successfully configured and authenticated IPSec VPN users against external LDAP. |
|
|
to kael29lv
i've also an USG 100 with your firmware, and i can use L2TP/IPSec VPN with AD auth. strange |
|
|
Yeah, I saw your post from before (iirc) where the firmware fixed it.
The fact it tests fine, make me wonder what's going on. It's killing the connection before a user is passed, from what I can tell. As no user shows up in the log file. What I might do is configure it back to the way it was (using xauth users), copy the log, and then reconfigure. Compare logs. I don't see an access block for the firewall.
It's a bugger. |
|
kael29lv 1 edit |
Here's some logs. Checking the Windows 7 log file for the VPN client, it gives a Ras error of 829 which points here: » technet.microsoft.com/en ··· 10).aspx829: Link Failure This corresponds to what I'm seeing in the logs, as it doesn't appear to be passing the password/username to the AD server, it just *dies*. The difference between the two is the successful one gets a "L2TP Over ... User has been granted access". Logs attached, one with VPN working (Xauth) - bottom image - and one with VPN not working (AD Auth) - this is the top image. Q. Does the AD server have to reside on the same subnet or require certain FW ports? I don't see any access blocks from the firewall on connection. If the AAA server test didn't work, I'd think it was the server. But it can pull information fine. Q. Does "extended authentication" need to be checked in the IPSec settings? *As a note, the Access blocks in the log are from a ISP MAC broadcast. Ok to ignore. |
|
kael29lv |
to asgatlat
said by asgatlat:i've also an USG 100 with your firmware, and i can use L2TP/IPSec VPN with AD auth. strange Out of curiosity, what OS/client were you using? I've tested with the Win7/Win8 built in's. |
|
|
said by kael29lv: Out of curiosity, what OS/client were you using? I've tested with the Win7/Win8 built in's. i use built in VPN connection of Windows 7 pro and XP pro SP3 and the AD server is under Windows Server 2008 R2 |
|
|
Good to know. The SSL works as well with AD authentication. For whatever reason, the IPsec/L2TP dies after it builds out the tunnel - never passes the authentication on. Just disconnects. I even tested with LDAP, did the same thing.
Zyxel support was no help.
It's a weird one. And short of blowing it all out and starting again, I don't think I'll solve it since all the logs simply show a disconnect on both client/gateway. |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jun-25 9:38 pm
|
|
|
Thanks for that write up. I assume using LDAP lets us get around the Zyxel limitation of not allowing an AD security group for L2TP? I remember reading that was a "design" choice (ie: buy SSL licenses).
I tried your settings to a tee, once again, it tests fine from within the Zyxel admin, but the tunnel dies on connection. No username/pass is ever mentioned in the logs.
I'm going to backup and blow it out tonight to see if a fresh start can resolve it. I had problems with my initial VPN configuration that got resolved because of that (some obscure setting got changed or something along the way). |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2013-Jun-26 9:15 pm
said by kael29lv:I assume using LDAP lets us get around the Zyxel limitation of not allowing an AD security group for L2TP? I remember reading that was a "design" choice (ie: buy SSL licenses). I have no idea what you mean by this? The AD AAA backend is same as LDAP plus some MS CHAP authentication. Instead of uid as in my example it's checking sAMAccountName and instead of businessCategory it's checking memberOf. If you don't use the MS CHAP authentication then it's AD and LDAP AAAs are the same. |
|
|
Zyxel, at one point, blocked the use of ActiveDirectory security groups on L2TP if using "Authenticate over AD". If you used the ext-group-user with an IPSEC/L2TP, it wouldn't authenticate. This was by design (ie: they want you to buy SSL licenses from them).
If ext-group-user works with LDAP, then it would be a way around the limitation if it was still in place.
From what I've read, it's still a (ill-advised) design decision.
I saw how you did yours and changed it to use my VPN-LV-Users security group (checks AD for users in this group). Worked fine in test, except the same ol' problem with when I actually connect to the thing, it drops. I have a theory I'm going to explore tonight though. |
|
|
i really don't understand what you said, i saw no limitation from zyxel for the AD connection. it works like a charm for me are you sure you correctly set you DC and CN command ? did your IPSEC/L2TP VPN connection work with a local user created on the USG ? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
to kael29lv
I'm still quite confused about the L2TP vs. SSL VPN mixup???
AD authentication is obviously done via AD's LDAP connector (it's LDAP in short) so I can't really see how ZyXel could block anything. I honestly believe you have some other misconfiguration there. |
|