dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2052
share rss forum feed

kael29lv

join:2013-06-08

USG100 L2TP/IPSec not authenticating with Active Directory

Followed a lot of the guides/posts here to get the L2TP/IPsec up and running. It works fine with users I create on the gateway. Now that I'm trying to implement the Active Directory authentication, I'm not having any luck. I used the Zyxel SSL VPN AD Guide, from my understanding the only difference is the Ext-Group-User won't work with L2TP/Ipsec.

Changing the known working L2TP/IPsec config to this:

VPN > L2TP VPN --> Auth. Method: AD-VPN, Allowed User: ad-Users

Object > AAA Server --> LVADWIN01 (server on 192.168.25.) configured, tests properly at the bottom (can retrieve user)

Object > Auth. Method --> AD-VPN, group LVADWIN01

VPN users pull from a 192.168.250.0 pool
AD server is on 192.168.25.0

The logs show phase 1 completing, and tunnel built successfully right before a disconnect, tunnel deletion. User hangs at "Verifying username and password .." - error 619.

Firmware is 3.00(AQQ.4)

Thoughts?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
I have not played with AD but for what it's worth I've successfully configured and authenticated IPSec VPN users against external LDAP.

asgatlat

join:2012-05-10
france
reply to kael29lv
i've also an USG 100 with your firmware, and i can use L2TP/IPSec VPN with AD auth.
strange

kael29lv

join:2013-06-08
Yeah, I saw your post from before (iirc) where the firmware fixed it.

The fact it tests fine, make me wonder what's going on. It's killing the connection before a user is passed, from what I can tell. As no user shows up in the log file. What I might do is configure it back to the way it was (using xauth users), copy the log, and then reconfigure. Compare logs. I don't see an access block for the firewall.

It's a bugger.

kael29lv

join:2013-06-08

1 edit
reply to kael29lv
Click for full size
Click for full size
Here's some logs. Checking the Windows 7 log file for the VPN client, it gives a Ras error of 829 which points here: »technet.microsoft.com/en-us/libr ··· 10).aspx

829: Link Failure

This corresponds to what I'm seeing in the logs, as it doesn't appear to be passing the password/username to the AD server, it just *dies*. The difference between the two is the successful one gets a "L2TP Over ... User has been granted access".

Logs attached, one with VPN working (Xauth) - bottom image - and one with VPN not working (AD Auth) - this is the top image.

Q. Does the AD server have to reside on the same subnet or require certain FW ports? I don't see any access blocks from the firewall on connection. If the AAA server test didn't work, I'd think it was the server. But it can pull information fine.

Q. Does "extended authentication" need to be checked in the IPSec settings?

*As a note, the Access blocks in the log are from a ISP MAC broadcast. Ok to ignore.

kael29lv

join:2013-06-08
reply to asgatlat
said by asgatlat:

i've also an USG 100 with your firmware, and i can use L2TP/IPSec VPN with AD auth.
strange

Out of curiosity, what OS/client were you using? I've tested with the Win7/Win8 built in's.

asgatlat

join:2012-05-10
france
said by kael29lv:

Out of curiosity, what OS/client were you using? I've tested with the Win7/Win8 built in's.

i use built in VPN connection of Windows 7 pro and XP pro SP3 and the AD server is under Windows Server 2008 R2

kael29lv

join:2013-06-08
Good to know. The SSL works as well with AD authentication. For whatever reason, the IPsec/L2TP dies after it builds out the tunnel - never passes the authentication on. Just disconnects. I even tested with LDAP, did the same thing.

Zyxel support was no help.

It's a weird one. And short of blowing it all out and starting again, I don't think I'll solve it since all the logs simply show a disconnect on both client/gateway.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
See some hints here »LDAP authentication for L2TP

kael29lv

join:2013-06-08
Thanks for that write up. I assume using LDAP lets us get around the Zyxel limitation of not allowing an AD security group for L2TP? I remember reading that was a "design" choice (ie: buy SSL licenses).

I tried your settings to a tee, once again, it tests fine from within the Zyxel admin, but the tunnel dies on connection. No username/pass is ever mentioned in the logs.

I'm going to backup and blow it out tonight to see if a fresh start can resolve it. I had problems with my initial VPN configuration that got resolved because of that (some obscure setting got changed or something along the way).


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Reviews:
·TekSavvy DSL
·Bell Fibe
said by kael29lv:

I assume using LDAP lets us get around the Zyxel limitation of not allowing an AD security group for L2TP? I remember reading that was a "design" choice (ie: buy SSL licenses).

I have no idea what you mean by this?
The AD AAA backend is same as LDAP plus some MS CHAP authentication.
Instead of uid as in my example it's checking sAMAccountName and instead of businessCategory it's checking memberOf.
If you don't use the MS CHAP authentication then it's AD and LDAP AAAs are the same.

kael29lv

join:2013-06-08
Zyxel, at one point, blocked the use of ActiveDirectory security groups on L2TP if using "Authenticate over AD". If you used the ext-group-user with an IPSEC/L2TP, it wouldn't authenticate. This was by design (ie: they want you to buy SSL licenses from them).

If ext-group-user works with LDAP, then it would be a way around the limitation if it was still in place.

From what I've read, it's still a (ill-advised) design decision.

I saw how you did yours and changed it to use my VPN-LV-Users security group (checks AD for users in this group). Worked fine in test, except the same ol' problem with when I actually connect to the thing, it drops. I have a theory I'm going to explore tonight though.

asgatlat

join:2012-05-10
france
i really don't understand what you said, i saw no limitation from zyxel for the AD connection. it works like a charm for me
are you sure you correctly set you DC and CN command ?
did your IPSEC/L2TP VPN connection work with a local user created on the USG ?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to kael29lv
I'm still quite confused about the L2TP vs. SSL VPN mixup???

AD authentication is obviously done via AD's LDAP connector (it's LDAP in short) so I can't really see how ZyXel could block anything. I honestly believe you have some other misconfiguration there.