Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Restricting LDAP authentication to a specific group

dbdan22dbdan22 Newbie ✭
edited February 29 in SSL VPN

Hi,

I just got LDAPS authentication working on a TZ470 via Netextender to a Windows Server 2019 AD machine. Just to be clear, I did not configure RADIUS. Just LDAP + Local users.

The problem is, I want to restrict login to members of only One (1) Windows Security group.

Right now it's letting all our users in.

The users I want to let in, I've added to a Windows Group, let's call it AllowVPN.

How do I restrict login to only members of the AllowVPN Windows security group?

I've gone through the LDAP configuration pages on the TZ470 and they are difficult to understand.

I've used https://www.sonicwall.com/support/knowledge-base/how-to-integrate-ldap-active-directory-user-authentication/170707170351983/ but it doesn't go into how to restrict users by WIndows security group.

Newbie here, please help.

Thanks.

Category: SSL VPN
Reply

Best Answers

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    @dbdan22 it all comes to the Group SSLVPN Services, whatever User or AD Groups you assign as Member to that default group will have SSLVPN access.

    What is your current configuration regarding this group?

    With LDAP everyone can login but if you disable VirtualOffice the access via NetExtender should be limited.

    --Michael@BWC

  • CORRECT ANSWER
    dbdan22dbdan22 Newbie ✭
    edited March 6 Answer ✓

    Hi,

    OK, well, this was kind of silly, it was staring me in the face the whole time, but that's how you learn, I suppose.....

    So to recap, I wanted to limit allowed SSL VPN / Netextender users to only those users who are members of a specific Active Directory group.

    My first mistake was getting involved with the LDAP Configuration / Users & Groups tab. It really isn't necessary to do what I wanted to do. Best to let it be. KISS applies here.

    What is critical is, first, get the Bind correct. That took me awhile.

    Then go to Users / Local users & groups / Local groups, and Import from LDAP just the group I want to authenticate against.

    Now for my second mistake.

    You look at the list of groups, and you see the group just imported. You Leave It Alone. Do Not Touch It.

    Instead edit the SSLVPN Services Group, and add the group just imported to it. Sort of counterintuitive, but that's the way it works.

    I got that one exactly backwards. I edited the imported group and added SSLVPN Services to it. Nope. Does Not Work.

    Tested it by logging in as a member of the group. Disconnected, removed the user from the group in Active Directory, tried to log in again. Nope: "User doesn't belong to the SSLVPN service group". Makes perfect sense now.

    Oh well... you live and you learn. Now why didn't tech support spot this? They had a remote connection. Hmmmmm....

    I think maybe a KB article should be written up about this........

Answers

  • dbdan22dbdan22 Newbie ✭

    Hi,

    Thank you for your reply.

    I understand conceptually what needs to be done, but I keep getting bogged down in the details. Specifically how to fill out the LDAP configuration tabs. It is importing all the server usernames and groups and allowing everyone one in. The documentation doesn't address how to limit logins to one specific group. The devil is in the details, as always.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @dbdan22 yes there is no LDAP Filter which you could use to limit the reply from the LDAP to only needed Accounts and Groups, this might be possible with a LDAP Proxy etc.

    But at the end, even if you import all of your users, they are not able to login with NetExtender as long as only your AllowVPN Group is a member of SSLVPN Services Group.

    --Michael@BWC

  • dbdan22dbdan22 Newbie ✭
    edited February 29

    I'm just not getting this...

    I'm going through the settings, and either all LDAP users are getting in, or they all fail to get in.

    I'm not seeing a way to restrict it based on just one security group.

    Yes, the group is a member of SSLVPN services.

    I'm in LDAP Configuration / Test tab, I can do a User Authentication test, it passes, shows me the groups it is a member of, it is NOT a member of the group, but I'm able to log in anyway.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    They might be able to login, but NetExtender should not work for all who are not a member of SSLVPN Services, it's not perfect but better than nothing. Having a LDAP filter would be a better approach, but there is none :(

    --Michael@BWC

  • dbdan22dbdan22 Newbie ✭

    Was on the phone with tech support for a little over 2 hours. Still not working.

    When this is resolved I asked them to write a KB article. I'll post back with the details...

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    If you had answered BWC's question about who is a member of SSLVPN Services then you might have this working by now. Having said that, I assume that Sonicwall support would have had time to check this in a 2 hour call so maybe it's not that simple.

  • dbdan22dbdan22 Newbie ✭
    edited March 6

    So BWC had it right, I just didn't see the forest for the trees. Went in one ear and out the other. Credit is due.

  • dbdan22dbdan22 Newbie ✭

    And what really threw me for a loop was, when you edit the user group and add SSLVPN Services to it, the nice little stylized "S" for SSLVPN access shows up next to it. Whereas if you leave it alone like you're supposed to, the stylized "S" does NOT show up. Well, Ignore The Stylized "S". It's what's under the SSLVPN Services group that matters. Maybe the developers should take a 2nd look at this? I haven't completely lost my marbles yet... I think.....

Sign In or Register to comment.