SonicWALL Firewall SSL VPN with RADIUS + FilterID 11 Group Mapping
Connex_Ananth
Newbie
Dear Team,
I have configured SSL VPN and RADIUS authentication for VPN access in TZ500 and also user can connect to VPN via RADIUS. At this situation, we need to enable group based VPN access controls for users. I tried few ways but couldn't make it success. So I have enabled Filter ID 11 attribute in both SonicWALL and RADIUS server even RADIUS server send back the Filter ID 11 value (group name) to Sonicwall but still couldn't make success.
Looking for immediate advise. Thanks in advance.
Thanks,
Ananth
Category: Entry Level Firewalls
0
Answers
HI @Connex_Ananth
finally a Radius related question, makes me happy, I thought I'am one of the last Dinosaurs using that protocol, usually on SMA but I tested on my TZ for ya.
First, it's working as intended. Filter-ID gets recognized, you have to create the group first on the TZ and put this group into the SSL VPN Group as a member. On Manage -> System Setup -> Users -> Settings you have to select RADIUS or RADIUS + Local Users as your authentication method.
In the Radius settings (CONFIGURE RADIUS) you have to check "Use RADIUS Filter-ID attribute" on the RADIUS Uers tab. You can check here on the Test tab the password authentication which returns the provided Filter-IDs.
All your VPN access can be configured per group. Or even per Access Rule if you like.
--Michael@BWC
Hi @BWC ,
Thanks for prompt response.
It didn't work as we expected, still the SSLVPN client show that " user doesn't belong to SSLVPN service group". I have created local group named "Technical" and assigned to SSLVPN service group but still the user foe example ananth1 couldn't connect to SSLVPN.
RADIUS server send the attribute value "Technical" same as local group mapping. RADIUS side authentication is success for user ananth1.
Any Idea ? Bit urgent!
Thanks @Connex_Ananth
Hi @Connex_Ananth,
Make sure to change the Default User Group for all RADIUS users to belong to “SSLVPN Services”
If you added the user group (Technical) in "SSLVPN Service Group", Choose as same as below in the screen shot and try.
As well as check the SSL VPN --> Server Settings page, Enable the “Use RADIUS in” checkbox and select the “MSCHAPv2 mode” radio button.
Hi @Ajishlal ,
Thanks for your response!
If we select the default user group as SSLVPN services then all RADIUS users can connect with global VPN routes (all subnets). we should have multiple groups like Technical & Sales so each group can have different routes and controls.
Hope you understand that I am trying to achieve.
Thanks @Connex_Ananth
Hi @Connex_Ananth,
For understanding, can you share the "RADIUS users" configuration screen shot here?
Hi @Ajishlal
FYI,
User Groups locally created and SSLVPN Service has been added
User Group Attribute sent by RADIUS
"Technical"
"Sales"
Thanks @Connex_Ananth
Hi @Connex_Ananth
just to be sure, you've put your Sales and Technical as members to the SSLVPN Service Group? It seems the other way around which is IMHO wrong.
Another option might be to have a Filter-ID SSLVPN Services as 2nd group returned, then your users will be able to use the SSLVPN service.
--Michael@BWC
Hi @Connex_Ananth ,
Let me do your same scenario in my lab & will get back to you.
as well as pls let me know your RADIUS Users configuration
Hi @BWC ,
Answering to your questions, I have tried both way of SSLVPN assignment for both groups Technical & Sales, but still same.
Hi @Ajishlal,
Thanks for your support!
FYI
HI @Connex_Ananth , you need to make sure that your User groups are added to the SSL VPN Services Group and not the otherway round i.e. don't add the SSL VPN Services group in to the individual Technical and Sales groups.
Edit the SSL VPN services group and add the Technical and Sales Groups in to it this way the inheritance will work correctly and they should show they are a member of the SSL VPN Services,
if you have changed the Default Radius User Group to SSL VPN Services change this back to none as this limits the control and applies to alll Radius Groups not just to the Groupss you want to use.
Hi @preston ,
Thanks for your response!
As I said above both options have been tried but still same issue.
FYI
Thanks,
@Connex_Ananth
Hi @Connex_Ananth
I double checked again and all the instructions were correct. You're still getting this "User doesn't belong to SSLVPN services group" message?
Your user authentication method is set to RADIUS + Local Users?
Are you able to login with a browser session to your SSLVPN Port? If not, what's the error message?
--Michael@BWC
Dear @BWC ,
Yes, Authentication method already is set to RADIUS + Local Users. Otherwise firewall won't authenticate RADIUS users.
FYI
For browser based login.
Even I have added "Sonicwall administrator" to group "Technical" but still says as user has no privileges for login from that location. Also I have enabled user login in interface.
Hope this is an interesting scenario to all.
Thanks,
@Connex_Ananth
Dear @BWC
Yes, user authentication method already is set to RADIUS + Local Users otherwise RADIUS authentication fails.
FYI,
Same error for both VPN and admin web based logins. "Technical" group is member of Sonicwall administrator.
Also user login has allowed in the interface. FYI
Also SSLVPN zone
Hope this is an interesting scenario to all.
Thanks,
@Connex_Ananth
Hi @Connex_Ananth
I'am a bit out of ideas at the moment, I only get the mentioned error message when Group Technical is not a member of SSLVPN Service Group. Your above screenshot showed the other way around which will not work. But you mentioned that you tried both ways, then you should be golden though.
--Michael@BWC
Yes I tried both ways but results same. Technically it should work but it didn’t.
@TAC
@shiprasahu93 do you have any ideas or can you please support on this ?
Thanks,
@Connex_Ananth
Hi @Connex_Ananth
I tested in my lab environment, it will work if you add "All Radius Users" into the "Technical /sales" group. The problem is what ever the route policy you added in group1(Technical), can be accessible when the Group2 (sales)users logged in and wise versa.
In SonicWALL firewall doesn't have the option for choose "Associate RADIUS Filter-ID / Use Filter-ID for Radius Groups". (This feature is enabled in Sonicwall SRA)
So my suggestion is contact Sonicwall support and inform them this issue and create a RFE.
Hi @Connex_Ananth
Was your issue resolved?
If so please mark the reply as the answer to help other community members find the helpful reply quickly.
Hi Team,
Sorry for my late response. I didn't get resolved yet since my firewall was showing unnecessary user for "RADIUS. I have planned to re-produce the setup again with different firewall and I will update here soon as possible.
Thanks,
Ananth
Did you resolve this issue? I am having a similar issue.