Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Use RADIUS Filter-ID to add user to local group

mameymamey Newbie ✭
edited July 2021 in VPN Client

I think I'm missing something. My RADIUS solution is working but I cannot add myself to a group that has administrative privileges, so I'm not able to fully deploy this solution.

I can authenticate users successfully. When I do, I get back the Filter-Id that I want, in this case Network Administrators. I have created a local Network Administrators group and I placed the Sonicwall Administrators group inside of this one. I log off as my local admin user and then log in using RADIUS, however I can never get administrative privileges to log into the GUI.

What am I doing wrong?

Thanks


Category: VPN Client
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    When you're connected via L2TP already, you can't IMHO login to the Admin UI from the same IP because you can be authenticated only once.

    Do you have a chance to connect to your WAN (X1) IP if you have it enabled on that interface?

    --Michael@BWC

Answers

  • SaravananSaravanan Moderator

    Hi @MAMEY,

    Could you please share the error message that you get when trying to login to the SonicWall GUI?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @mamey it's the other way around, your "Network Administrators" should be a Member of "SonicWall Administrators".

    --Michael@BWC

  • mameymamey Newbie ✭

    Thanks Michael. It does make more sense that Network Administrators is a subset of all SonicWall Administrators. Thanks for the catch.

    However, I am still getting the following error message:


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @mamey did you enabled HTTPS Management and User Login in the Interface Settings of the IP address you're trying to connect to?

    --Michael@BWC

  • mameymamey Newbie ✭

    @BWC I believe I have done that here


  • mameymamey Newbie ✭

    I don't have any issues logging in when I connect with a local user that is in the SonicWall Administrator group.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I did a quick setup on my Appliance at home, and wasn't able to login with the Radius User via VPN, but was able to connect to my WAN Interface IP instead. When I'am back home I'll give it a try to login from LAN but your settings look good to me when you're in the 172.17.0.0/24 network.

    The message about being logged in as "L2TP Client" is confusing me a bit though. I'am not sure if L2TP connected remote users could admin the appliance.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Update: I'am able to connect via VPN as Radius Administrator when in the "Network Administrators" Group on the Administration tab the option " Members go straight to the management UI on web login" is activated.

    It's a bit confusing but it does the trick, because I was able to login via WAN having this little Session Windows.

    --Michael@BWC

  • mameymamey Newbie ✭

    I am on a Mac and using the default Network Preferences pane to create a L2TP over IPSec connection to the SonicWall. I could try using NetExtender like our Windows users. However, I use the same connection with my local user credentials. When logging in as the local user, the SonicWall device seems able to verify who I am before I even log in... because of the VPN connection?

    I don't know why my RADIUS user is so different, but I'm also not sure how to verify my connection attempts (can't find my username in the logs) or how to know that I'm being placed in the right group after authentication. Before the upgrade to SonicOS 6.5 it looks like there was a way to create local users by duplicating RADIUS usernames. That setting appears to have been removed.


    It might also be worth noting that my RADIUS server is on a Linux box, not Windows. Users are authenticated using Okta's MFA solution.

  • mameymamey Newbie ✭
    edited July 2021

    Ok, good news is I can log in via the WAN IP. I did have to enable HTTPS management from there which creates a security vulnerability that I was hoping to avoid, if possible.

    Is there another solution? I'm certainly willing to connect a different way if I can continue logging in from and Internal interface IP.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    You could try using an IPsec client on your Mac instead of the L2TP, because there you could grant Management Access.

    I'am not certain about SSL-VPN if MGMT would be possible when connected. MobileConnect would be the easiest for sure.

    --Michael@BWC

  • mameymamey Newbie ✭

    Thanks for your help @BWC! It looks like for my specific use case the best solution (at least for now) is to use the WAN IP for MGMT and RADIUS specifically for VPN authentication.

Sign In or Register to comment.