Article sections
Les routeurs Vigor supportent l’authentification de client d’accès distants PPTP et SSL depuis une base de données locale ou externe incluant RADIUS, LDAP/ AD et TACACS+. Ce document explique la configuration utilisant un serveur LDAP/ AD externe pour une authentification VPN.
1. Go to Applications >> Active Directory /LDAP. Check Enable and choose a Bind Type. There are three types available:Simple Mode – It is usually the option when users are all in the same folder/ level in the AD/LDAP server. The router does only the bind authentication but no searching.
Anonymous Mode – Perform a searching action first with Anonymous account, and then do the bind authentication. It is rarely used. In fact, Windows AD server refuses to authenticate Anonymous account by default.
Regular Mode – It is usually the option when users are in different sub-folders. Mostly it is the same with Anonymous Mode, but the server will first check if you have the search authority with Regular DN and
Regular Password authentication. In this mode, the router will send Bind Request with this Regular DN and Regular Password to LDAP/AD server, once it passed the authentication, the router will do searching then LDAP server will find the exact user’s DN in different sub-folders.
In this example, we will use Regular Mode. Suppose Draytek LDAP server has OU People and OU RD1, RD2, RD3 under OU People, and the Users under OU RD1, RD2, RD3 are allowed for VPN Access.
2. Enter the IP address of LDAP/AD server at Server Address, and input Regular DN and Regular Password. Click OK then Vigor will request a system restart
Note: If the LDAP server you have is Windows AD server, always use cn= for the start of Regular DN.
3. Create LDAP server profiles. Go to the Active Directory /LDAP tab click an index number to edit the profile.
4. Enter a Name for the profile. And once the server has authenticated Regular DN/ Password that the router use, we can use the Search icon to input the Base Distinguished Name quickly. In this example, we want to allow users under OU RD1, RD2, and RD3 to access VPN, so we select the OU people that contains OU RD1, RD2, and RD3, for Base Distinguished Name. Then click OK.
5. (Optional) Group DN for additional filtering. If both Base DN and Group DN are specified, only the users available in both path can pass the authentication.
6. Configure the router to authenticate Host-to-LAN VPN with the external server: Go to VPN and Remote Access >> PPP General Setup, at PPP Authentication Methods, enable AD/LDAP and the profile created in the previous steps.
With the above configuration, remote VPN clients will be able to establish VPN with the user accounts in LDAP server.
Note:
- There are 4 PPP Authentication Methods: Remote Dial-In User (the local database), RADIUS, AD/ LDAP, TACACS+. When all of them are enabled the router will first check the local database, if it does not match any, it will forward the authentication information to the RADIUS server. Then the LDAP/ AD server if authentication on RADIUS server fails as well.
- When using LDAP server for authentication, as a limitation of LDAP authentication, we must choose PAP as security protocol in the dialing-in via Smart VPN Client, which will cause PPTP VPN established without encryption; therefore, it is suggested to use RADIUS authentication for higher security.
Troubleshooting
When using Windows AD server for authentication, we may test the bind account « vpn-user » by running ldp.exe. to connect to a Domain Controller of the Windows AD server then perform a Simple Bind on the AD server. If Simple Bind on the AD server works but VPN still cannot pass the AD authentication, please contact our us via support@draytek.om and provide the information below.
- wireshark packets on the LDAP/AD server
- screenshots of the User account on the AD/ LDAP server
- screenshots of the LDAP/ AD configurations on the router
- Remote management info of the router
- An account/ password on the LDAP/ AD server for testing