Use RADIUS Filter-ID to add user to local group
mamey
Newbie ✭
I think I'm missing something. My RADIUS solution is working but I cannot add myself to a group that has administrative privileges, so I'm not able to fully deploy this solution.
I can authenticate users successfully. When I do, I get back the Filter-Id that I want, in this case Network Administrators. I have created a local Network Administrators group and I placed the Sonicwall Administrators group inside of this one. I log off as my local admin user and then log in using RADIUS, however I can never get administrative privileges to log into the GUI.
What am I doing wrong?
Thanks
Category: VPN Client
0
Answers
Hi @MAMEY,
Could you please share the error message that you get when trying to login to the SonicWall GUI?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @mamey it's the other way around, your "Network Administrators" should be a Member of "SonicWall Administrators".
--Michael@BWC
Thanks Michael. It does make more sense that Network Administrators is a subset of all SonicWall Administrators. Thanks for the catch.
However, I am still getting the following error message:
@mamey did you enabled HTTPS Management and User Login in the Interface Settings of the IP address you're trying to connect to?
--Michael@BWC
@BWC I believe I have done that here
I don't have any issues logging in when I connect with a local user that is in the SonicWall Administrator group.
I did a quick setup on my Appliance at home, and wasn't able to login with the Radius User via VPN, but was able to connect to my WAN Interface IP instead. When I'am back home I'll give it a try to login from LAN but your settings look good to me when you're in the 172.17.0.0/24 network.
The message about being logged in as "L2TP Client" is confusing me a bit though. I'am not sure if L2TP connected remote users could admin the appliance.
--Michael@BWC
Update: I'am able to connect via VPN as Radius Administrator when in the "Network Administrators" Group on the Administration tab the option " Members go straight to the management UI on web login" is activated.
It's a bit confusing but it does the trick, because I was able to login via WAN having this little Session Windows.
--Michael@BWC
I am on a Mac and using the default Network Preferences pane to create a L2TP over IPSec connection to the SonicWall. I could try using NetExtender like our Windows users. However, I use the same connection with my local user credentials. When logging in as the local user, the SonicWall device seems able to verify who I am before I even log in... because of the VPN connection?
I don't know why my RADIUS user is so different, but I'm also not sure how to verify my connection attempts (can't find my username in the logs) or how to know that I'm being placed in the right group after authentication. Before the upgrade to SonicOS 6.5 it looks like there was a way to create local users by duplicating RADIUS usernames. That setting appears to have been removed.
It might also be worth noting that my RADIUS server is on a Linux box, not Windows. Users are authenticated using Okta's MFA solution.
Ok, good news is I can log in via the WAN IP. I did have to enable HTTPS management from there which creates a security vulnerability that I was hoping to avoid, if possible.
Is there another solution? I'm certainly willing to connect a different way if I can continue logging in from and Internal interface IP.
You could try using an IPsec client on your Mac instead of the L2TP, because there you could grant Management Access.
I'am not certain about SSL-VPN if MGMT would be possible when connected. MobileConnect would be the easiest for sure.
--Michael@BWC
Thanks for your help @BWC! It looks like for my specific use case the best solution (at least for now) is to use the WAN IP for MGMT and RADIUS specifically for VPN authentication.