D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: lingnau on December 27, 2012, 10:21:00 AM

Title: VPN with External Users Database
Post by: lingnau on December 27, 2012, 10:21:00 AM

This isn't actually a "question" topic, I just wanted to share my experience using a DFL firewall to setup a VPN with Active Directory (LDAP) integration.

I've tried for hours to configure the native LDAP integration to look up active directory users with no success. I've searched across the internet and forums and didn't find anyone who accomplished that.

After that disappointing experience with AD integration I enabled the NPS (Network Policy Server) role on our domain controller and setup the DFL as a RADIUS client. That was a breeze to setup and configure and simply worked. If anyone is interested, here are some screenshots. It's a pretty simple setup.

PPP Server:
(https://lh5.googleusercontent.com/-RRG8FlrFxY4/UNyQOAj0SiI/AAAAAAAABbs/cXChQqMbgAk/s906/VPN_PPTP_Server.png)

External User Database:
(https://lh3.googleusercontent.com/-PndhjPGozFs/UNyQNuJgJcI/AAAAAAAABbk/gfw3meSm41U/s912/VPN_ExternalDatabase.png)

User Autentication Rules:
(https://lh3.googleusercontent.com/--Z9-s951zyE/UNyQOWvBX3I/AAAAAAAABb4/C9aWwaI7QZM/s912/VPN_UserAutRules.png)

RADIUS Servers:
(https://lh6.googleusercontent.com/-uDFfdwBqWQA/UNyQOVGI1KI/AAAAAAAABb8/RXxd95XoQRM/s912/VPN_UserAutRules2.png)

Access Rules:
(https://lh4.googleusercontent.com/-S8PJrz56tHA/UNyQOQz2khI/AAAAAAAABb0/TRnsAv61y6Q/s912/VPN_Ruleset.png)

NPS Configuration:
(https://lh4.googleusercontent.com/-61QNl65pzmA/UNyQNr-J4LI/AAAAAAAABbo/Lj6PRt1Eaac/s797/VPN_NPS1.png)

NPS Rules:
(https://lh4.googleusercontent.com/-VMDQd9PhDcU/UNyQNs25tqI/AAAAAAAABbg/91UPdyopxsw/s720/VPN_NPS2.png)

Title: Re: VPN with External Users Database
Post by: danilovav on December 28, 2012, 10:32:53 AM

Recently we had tested HTTP MAC authorization with LDAP connection to MS Windows Server 2008 R2 - it's working good. But, your configuration with RADIUS is also possible.

Title: Re: VPN with External Users Database
Post by: lingnau on January 02, 2013, 09:06:09 AM

Quote from: danilovav on December 28, 2012, 10:32:53 AM

Recently we had tested HTTP MAC authorization with LDAP connection to MS Windows Server 2008 R2 - it's working good. But, your configuration with RADIUS is also possible.

Danilo, can you post the necessary configuration to achieve that? (Or the document if it already exists in official documentation)

Title: Re: VPN with External Users Database
Post by: danilovav on January 06, 2013, 12:59:23 PM

Something like below
We've blocked internet for necessary MAC addresses instead of allowing
In AD, MAC user should has group membership mac_auth_group

Code: [Select]

add IP4Address mac_authorized Address=0.0.0.0/0 UserAuthGroups=mac_auth_group -silent -force
add LDAPDatabase MyLDAP IP=domain.controller.ip.address NameAttr=SAMAccountName DomainName=SRSC BaseObject="OU=DFL macs,OU=Users,DC=RS,DC=RU" UserName=username Password=password Type=1 -silent -force
add UserAuthRule Name=mac_auth AuthSource=LDAP Interface=any OriginatorIP=all-nets LDAPServers=MyLDAP LoginType=MACAuth MACAuthSecret=defaultpassword AccountingServers="" LogSeverity=Debug -silent -force
add IPRule Name=mac_auth_test Action=Drop SourceInterface=lan2 DestinationInterface=any SourceNetwork=mac_authorized DestinationNetwork=all-nets Service=http-all LogSeverity=Debug -silent -force