Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicWALL Firewall SSL VPN with RADIUS + FilterID 11 Group Mapping

Dear Team,

I have configured SSL VPN and RADIUS authentication for VPN access in TZ500 and also user can connect to VPN via RADIUS. At this situation, we need to enable group based VPN access controls for users. I tried few ways but couldn't make it success. So I have enabled Filter ID 11 attribute in both SonicWALL and RADIUS server even RADIUS server send back the Filter ID 11 value (group name) to Sonicwall but still couldn't make success.

Looking for immediate advise. Thanks in advance.


Thanks,

Ananth

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    HI @Connex_Ananth

    finally a Radius related question, makes me happy, I thought I'am one of the last Dinosaurs using that protocol, usually on SMA but I tested on my TZ for ya.

    First, it's working as intended. Filter-ID gets recognized, you have to create the group first on the TZ and put this group into the SSL VPN Group as a member. On Manage -> System Setup -> Users -> Settings you have to select RADIUS or RADIUS + Local Users as your authentication method.

    In the Radius settings (CONFIGURE RADIUS) you have to check "Use RADIUS Filter-ID attribute" on the RADIUS Uers tab. You can check here on the Test tab the password authentication which returns the provided Filter-IDs.

    All your VPN access can be configured per group. Or even per Access Rule if you like.

    --Michael@BWC

  • Hi @BWC ,

    Thanks for prompt response.

    It didn't work as we expected, still the SSLVPN client show that " user doesn't belong to SSLVPN service group". I have created local group named "Technical" and assigned to SSLVPN service group but still the user foe example ananth1 couldn't connect to SSLVPN.

    RADIUS server send the attribute value "Technical" same as local group mapping. RADIUS side authentication is success for user ananth1.

    Any Idea ? Bit urgent!






    Thanks @Connex_Ananth

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Connex_Ananth,

    Make sure to change the Default User Group for all RADIUS users to belong to “SSLVPN Services”

    If you added the user group (Technical) in "SSLVPN Service Group", Choose as same as below in the screen shot and try.

    As well as check the SSL VPN --> Server Settings page, Enable the “Use RADIUS in” checkbox and select the “MSCHAPv2 mode” radio button.

  • Hi @Ajishlal ,

    Thanks for your response!

    If we select the default user group as SSLVPN services then all RADIUS users can connect with global VPN routes (all subnets). we should have multiple groups like Technical & Sales so each group can have different routes and controls.

    Hope you understand that I am trying to achieve.

    Thanks @Connex_Ananth

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Connex_Ananth,

    For understanding, can you share the "RADIUS users" configuration screen shot here?

  • Hi @Ajishlal

    FYI,

    User Groups locally created and SSLVPN Service has been added


    User Group Attribute sent by RADIUS

    "Technical"

    "Sales"


    Thanks @Connex_Ananth

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 6

    Hi @Connex_Ananth

    just to be sure, you've put your Sales and Technical as members to the SSLVPN Service Group? It seems the other way around which is IMHO wrong.

    Another option might be to have a Filter-ID SSLVPN Services as 2nd group returned, then your users will be able to use the SSLVPN service.

    --Michael@BWC

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭
    edited January 6

    Hi @Connex_Ananth ,

    Let me do your same scenario in my lab & will get back to you.

    as well as pls let me know your RADIUS Users configuration


  • Hi @BWC ,

    Answering to your questions, I have tried both way of SSLVPN assignment for both groups Technical & Sales, but still same.


    Hi @Ajishlal,

    Thanks for your support!

    FYI


  • prestonpreston Enthusiast ✭✭

    HI @Connex_Ananth , you need to make sure that your User groups are added to the SSL VPN Services Group and not the otherway round i.e. don't add the SSL VPN Services group in to the individual Technical and Sales groups.

    Edit the SSL VPN services group and add the Technical and Sales Groups in to it this way the inheritance will work correctly and they should show they are a member of the SSL VPN Services,

    if you have changed the Default Radius User Group to SSL VPN Services change this back to none as this limits the control and applies to alll Radius Groups not just to the Groupss you want to use.

  • Hi @preston ,

    Thanks for your response!

    As I said above both options have been tried but still same issue.

    FYI


    Thanks,

    @Connex_Ananth

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Connex_Ananth

    I double checked again and all the instructions were correct. You're still getting this "User doesn't belong to SSLVPN services group" message?

    Your user authentication method is set to RADIUS + Local Users?

    Are you able to login with a browser session to your SSLVPN Port? If not, what's the error message?

    --Michael@BWC

  • Dear @BWC ,


    Yes, Authentication method already is set to RADIUS + Local Users. Otherwise firewall won't authenticate RADIUS users.

    FYI


    For browser based login.

    Even I have added "Sonicwall administrator" to group "Technical" but still says as user has no privileges for login from that location. Also I have enabled user login in interface.




    Hope this is an interesting scenario to all.


    Thanks,

    @Connex_Ananth

  • Dear @BWC

    Yes, user authentication method already is set to RADIUS + Local Users otherwise RADIUS authentication fails.


    FYI,


    Same error for both VPN and admin web based logins. "Technical" group is member of Sonicwall administrator.


    Also user login has allowed in the interface. FYI



    Also SSLVPN zone



    Hope this is an interesting scenario to all.

    Thanks,

    @Connex_Ananth

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Connex_Ananth

    I'am a bit out of ideas at the moment, I only get the mentioned error message when Group Technical is not a member of SSLVPN Service Group. Your above screenshot showed the other way around which will not work. But you mentioned that you tried both ways, then you should be golden though.

    --Michael@BWC

  • Dear @BWC ,

    Yes I tried both ways but results same. Technically it should work but it didn’t.

    @TAC

    @shiprasahu93 do you have any ideas or can you please support on this ?

    Thanks,
    @Connex_Ananth
  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Connex_Ananth

    I tested in my lab environment, it will work if you add "All Radius Users" into the "Technical /sales" group. The problem is what ever the route policy you added in group1(Technical), can be accessible when the Group2 (sales)users logged in and wise versa.

    In SonicWALL firewall doesn't have the option for choose "Associate RADIUS Filter-ID / Use Filter-ID for Radius Groups". (This feature is enabled in Sonicwall SRA)

    So my suggestion is contact Sonicwall support and inform them this issue and create a RFE.


  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Connex_Ananth

    Was your issue resolved?

    If so please mark the reply as the answer to help other community members find the helpful reply quickly.

  • Hi Team,

    Sorry for my late response. I didn't get resolved yet since my firewall was showing unnecessary user for "RADIUS. I have planned to re-produce the setup again with different firewall and I will update here soon as possible.


    Thanks,

    Ananth

Sign In or Register to comment.