We have a sonicwall TZ500 device and I want staff members to be able to login to the SSL VPN with their Windows Activce Directoy Username Name and Password.
Would I use LDAP for this or RADIUS, or Both?
I can see the guides on how to configure these services but not much info on why.
Best Answer
preston All-Knowing Sage ✭✭✭✭
Hi @Tularis
SonicWall has an issue with the Local User Caching, this doesn't happen with User Groups, change the Referrals settings to the below and try again, or just import the User Groups, you don't need to use LDAP mirroring that is mainly used for multiple domains to distinguise between the same username been in both domains,
just add the LDAP group used for SSL VPN in to the SSLVPN Services group, when you add a user in to the group in AD, the SonicWall will check the AD group to see if that user is a member of it when the user tries to login,
If you Use Local users for all the Groups users then it can get complicated and create more work for yourself.
the only time that the users need to appear in the Local Users is if you are using the built-in one time passwords, but they will be added automatically after the user first login, the only reason they are added is because the ToTP bind is added to that user.
Also forgot to mention the only time you would set it up using RADIUS is if you are using a third party Authentication server for OTP, like Vasco, safenet etc...
Hi @Tularis
this can be accomplished either way, but I believe LDAP is easier to setup because you don't need any Radius server in addition.
Hi @Tularis ,
Please follow the below KB for Integrating LDAP/Active Directory With SonicWall UTM Appliance.
For LDAP Authentication for SSL VPN;
IMO, the simplest method is to use LDAP for user authentication. Below KB article talks about the configuration required for LDAP authentication for SSLVPN users.
Hope this helps.
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks, with LDAP, Most of the articles talk about importing the AD Users into the SonicWall Device.
Do I have to manually update this list of user if I change a password or add a new use in the AD?
Hi @Tularis,
You could also try to import the user group meant for SSLVPN users from AD onto SonicWall. It would be difficult when it comes to adding new user account on AD and the same wont take effect on the firewall unless and until we manually import the user or delete the same user group from the firewall and import it again.
For this reason, you could use the LDAP Mirroring option with User groups. This talks about, when adding or modifying a user to the user group on AD, the same automatically takes effect on the SonicWall appliance too.
For your case, SSLVPN authentication based on User Group and LDAP Mirroring option best suits.
Hope this helps.
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks! So I've setup LDAP Bind and Have Imported a User and Group.
Somthing Intresting I found out that If I change the User Account password on the AD, I can still login with the old password and the new password.
If I disable the account I can not login at all (As it should be)
Thank you all for your help!