• February 23, 2025, 05:11:57 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: VPN with External Users Database  (Read 6267 times)

lingnau

  • Level 2 Member
  • **
  • Posts: 53
    • www.lingnau.com.br
VPN with External Users Database
« on: December 27, 2012, 10:21:00 AM »
This isn't actually a "question" topic, I just wanted to share my experience using a DFL firewall to setup a VPN with Active Directory (LDAP) integration.

I've tried for hours to configure the native LDAP integration to look up active directory users with no success. I've searched across the internet and forums and didn't find anyone who accomplished that.

After that disappointing experience with AD integration I enabled the NPS (Network Policy Server) role on our domain controller and setup the DFL as a RADIUS client. That was a breeze to setup and configure and simply worked. If anyone is interested, here are some screenshots. It's a pretty simple setup.

PPP Server:


External User Database:


User Autentication Rules:


RADIUS Servers:


Access Rules:


NPS Configuration:


NPS Rules:
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: VPN with External Users Database
« Reply #1 on: December 28, 2012, 10:32:53 AM »
Recently we had tested HTTP MAC authorization with LDAP connection to MS Windows Server 2008 R2 - it's working good. But, your configuration with RADIUS is also possible.
Logged
BR, Alexandr Danilov

lingnau

  • Level 2 Member
  • **
  • Posts: 53
    • www.lingnau.com.br
Re: VPN with External Users Database
« Reply #2 on: January 02, 2013, 09:06:09 AM »
Quote from: danilovav on December 28, 2012, 10:32:53 AM
Recently we had tested HTTP MAC authorization with LDAP connection to MS Windows Server 2008 R2 - it's working good. But, your configuration with RADIUS is also possible.

Danilo, can you post the necessary configuration to achieve that? (Or the document if it already exists in official documentation)
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: VPN with External Users Database
« Reply #3 on: January 06, 2013, 12:59:23 PM »
Something like below
We've blocked internet for necessary MAC addresses instead of allowing
In AD, MAC user should has group membership mac_auth_group

Code: [Select]
add IP4Address mac_authorized Address=0.0.0.0/0 UserAuthGroups=mac_auth_group -silent -force
add LDAPDatabase MyLDAP IP=domain.controller.ip.address NameAttr=SAMAccountName DomainName=SRSC BaseObject="OU=DFL macs,OU=Users,DC=RS,DC=RU" UserName=username Password=password Type=1 -silent -force
add UserAuthRule Name=mac_auth AuthSource=LDAP Interface=any OriginatorIP=all-nets LDAPServers=MyLDAP LoginType=MACAuth MACAuthSecret=defaultpassword AccountingServers="" LogSeverity=Debug -silent -force
add IPRule Name=mac_auth_test Action=Drop SourceInterface=lan2 DestinationInterface=any SourceNetwork=mac_authorized DestinationNetwork=all-nets Service=http-all LogSeverity=Debug -silent -force
Logged
BR, Alexandr Danilov