How to authenticate Host to LAN VPN with AD/LDAP server?
Vigor Router supports authenticating PPTP/ SSL Remote Dial-In VPN connections through external RADIUS/ LDAP/ AD/ TACACS+ servers at the same time. Users now can choose to authenticate VPN users from the local database or by external servers with flexibility. This note will explain how to configure Vigor Router to use an external LDAP/AD server for VPN authentication.
1. Go to Applications >> Active Directory /LDAP to get the following page for configuring LDAP. There are three types of bind mode supported:
- Simple Mode –Simply do the bind authentication without any searching action. It is often used when Users are in the same folder/ level in the AD/LDAP server.
- Anonymous Mode – Perform a searching action first with Anonymous account, and then do the bind authentication. It is rarely used, in fact, Windows AD server refuses to authenticate Anonymous account by default.
- Regular Mode – Mostly it is the same with anonymous mode. The difference is that the server will firstly check if you have the search authority. Regular DN and Regular Password are required for using Regular Mode. It is often used when Users are in different sub-folders in the AD/LDAP server.
We will use Regular Mode as an example. Suppose Draytek LDAP server has OU People and OU RD1/RD2/RD3 under OU People, and Users under OU RD1/RD2/RD3 are allowed for VPN Access.
2. Enter the IP address of LDAP/AD server, and input Regular DN and Regular Password. In Regular Mode, Vigor Router will send Bind Request with this Regular DN and Regular Password to LDAP/AD server. Once server passes the Bind Request, Vigor Router can do searching then LDAP server can help to find the exact user's DN in different sub-folders.
Note: If the LDAP server you have is Windows AD server, please always use “cn=” as the start of Regular DN.
3. Click OK then Vigor will request a system restart.
4. Create LDAP server profiles. Click the Active Directory /LDAP tab to open the profile web page and click any of the index number link.
5. Enter a profile name, and we can use the Search icon to quickly input the Base Distinguished Name or Group Distinguish Name once the server has authenticated Regular DN/ Password that Vigor Router binds in Regular mode. In this example, we want users under OU RD1/RD2/RD3 to be allowed to create VPN. So we select the upper OU, OU=people that contains OU RD1/RD2/RD3, for Base Distinguished Name, then click OK.
6. Group DN is used while administrator wants to do an additional filtering. While both Base DN and Group DN are configured, the user account must be available in both path, otherwise, it cannot pass the authentication.
7. Click OK to save the settings.
8. Configure Vigor to authenticate Host to LAN VPN with the external server: Go to VPN and Remote Access >> PPP General Setup, and enable AD/LDAP and the profile created in the previous steps.
- There are 4 PPP Authentication Methods: Remote Dial-In User (the local database), RADIUS, AD/ LDAP, TACACS+. When all of them are enabled and a remote VPN client is requesting authentication, Vigor Router will firstly check if it matches the VPN Remote Dial-In profiles on it. If not, Vigor will next forward the authentication information to RADIUS server. If the authentication on RADIUS server fails, the information will then be passed to LDAP/ AD server.
- When using LDAP server for authentication, as a limitation of LDAP authentication, we must choose PAP as security protocol in the dialing-in via Smart VPN Client, which will cause PPTP VPN established without encryption; therefore, it is suggested to use RADIUS authentication for higher security.
9. After the above configuration, remote clients will be able to establish VPN with the user accounts in LDAP server.
When using Windows AD server for authentication, we may test the bind account "vpn-user" by running ldp.exe. to connect to a Domain Controller of the Windows AD server then perform a Simple Bind on the AD server. If Simple Bind on the AD server works but VPN still cannot pass the AD authentication, please provide below the information and then email them to [email protected] for our analysis.
- Wireshark packets on the LDAP/AD server
- Screen-shots of the User account on the AD/ LDAP server
- Screen Shots of the LDAP/ AD configurations on Vigor Router
- Remote management info to Vigor Router
- An account/ password on the LDAP/ AD server for testing remotely