Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

LDAP Authentication

I inherited this firewall, I am fairly versed with Check Point but Newbie with Sonic Wall. I have verified that indeed LDAP authentication is working, but it is not limited to the Security group I was told and would like. See attached word document with screen shots of what I believe to be the relevant settings. I saw some older Sonic Wall documents that had a setting that is what I wish I could find that basically said "Use this AD group" for authentication. The closest to that I could find was the Client Authentication under the WAN GroupVPN configuration where I have it checked to REquire authentication of VPN clients by XAUTH and I set the group to the AD group, but no luck. Thanks in advance for any help.

Category: Entry Level Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    What are you using LDAP for? What do you mean it 'is not limited to the Security group'? Are you saying that any user with LDAP credentials can login to the unit / GVPN / SSLVPN?

    In the firewall LDAP configuration \ Settings \ Server \ Directory, you can limit the OUs that contain user accounts and user groups. Is this what you are looking for?

  • Hi @GRADY0298,

    Thank you for visiting SonicWall Community.

    With the setting showing up on the word document, only the user group OSF-VPN is allowed to authenticate using Global VPN Client. Are you facing any difficulties with this?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • TKWITS, see attached word document of the location I think you are referring to. It seems this page is to make sure LDAP can get to the appropriate group but not where you actually "limit" to this group?

    SARAVANAN, Yes I agree, from what I have read these settings should work but I have created a test user and moved the user in and out of the OSF-VPN security group and that user is able to authenticate whether in the group or not.

    Thank you both.

    David


  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I don’t use GVPN but at least with SSL-VPN you import the group from the LDAP settings page and then add it to the SSL-VPN services group.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Your configuration shows you are using the entirety of the domains default Users OU for LDAP authentication. That is a bad idea for reasons I do not want to get into here.

    The way I do LDAP authentication for VPN (of any sort) WITHOUT specifying users locally on the firewall is to use a non-default OU that contains VPN users, then point Sonicwalls LDAP to only that OU for user accounts. I do not depend on a LDAP user group to define who can login.

    The way I would do what it sounds like you want to do is set the 'allow only users listed locally' option, then either manually import the users or use the 'mirror LDAP user groups locally' to regularly refresh the group listing. I would also suggest pruning user accounts after a certain number of days of inactivity.

    Hope that helps.

  • TKWITS, Where exactly are you seeing that I am using the entirety of the domains default OU for LDAP authentication? You must be correct because currently any user in AD is getting authenticated. I can add new test users and they immediately get authenticated. Exactly what I want to know is how to limit to a specific Security Group. I do not want to use local groups. I don't really want to have to create a separate OU if possible, just use a specific security group.

  • Hi @GRADY0298,

    The way you have already configured should take care of the requirement. If its not working still, may be schedule the firewall reboot once and check. Make sure the firmware on the firewall is up to date. You can always reach out to our support folks to get it addressed in real-time.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    In your second attachment, shows XXXXX.net/Users. That is the default domain user OU and contains the forest administrator account.

Sign In or Register to comment.