Vigor Router supports authenticating PPTP/L2TP/SSL Remote Dial-In VPN connections by the local database or external authentication servers, including RADIUS, LDAP/ AD and TACACS+. This article explains the configuration of using an external LDAP/AD server for VPN authentication.
1. Go to Applications >> Active Directory /LDAP. Check Enable and choose a Bind Type. There are three types available:
Simple Mode – It is usually the option when users are all in the same folder/ level in the AD/LDAP server. The router does only the bind authentication but no searching.
Anonymous Mode – Perform a searching action first with Anonymous account, and then do the bind authentication. It is rarely used. In fact, Windows AD server refuses to authenticate Anonymous account by default.
Regular Mode – It is usually the option when users are in different sub-folders. Mostly it is the same with Anonymous Mode, but the server will first check if you have the search authority with Regular DN and
Regular Password authentication. In this mode, the router will send Bind Request with this Regular DN and Regular Password to LDAP/AD server, once it passed the authentication, the router will do searching then LDAP server will find the exact user's DN in different sub-folders.
In this example, we will use Regular Mode. Suppose Draytek LDAP server has OU People and OU RD1, RD2, RD3 under OU People, and the Users under OU RD1, RD2, RD3 are allowed for VPN Access.
2. Enter the IP address of LDAP/AD server at Server Address, and input Regular DN and Regular Password. Click OK then Vigor will request a system restart
Note: If the LDAP server you have is Windows AD server, always use cn=
for the start of Regular DN.
3. Create LDAP server profiles. Go to the Active Directory /LDAP tab click an index number to edit the profile.
4. Enter a Name for the profile. And once the server has authenticated Regular DN/ Password that the router use, we can use the Search icon to input the Base Distinguished Name quickly. In this example, we want to allow users under OU RD1, RD2, and RD3 to access VPN, so we select the OU people that contains OU RD1, RD2, and RD3, for Base Distinguished Name. Then click OK.
5. (Optional) Group DN for additional filtering. If both Base DN and Group DN are specified, only the users available in both path can pass the authentication.
6. Configure the router to authenticate Host-to-LAN VPN with the external server: Go to VPN and Remote Access >> PPP General Setup, at PPP Authentication Methods, enable AD/LDAP and the profile created in the previous steps and select PAP Only as the PPP Dial In Authentication method.
With the above configuration, remote VPN clients will be able to establish VPN with the user accounts in LDAP server.
Note:
When using Windows AD server for authentication, we may test the bind account "vpn-user" by running ldp.exe. to connect to a Domain Controller of the Windows AD server then perform a Simple Bind on the AD server. If Simple Bind on the AD server works but VPN still cannot pass the AD authentication, please contact our us via [email protected] and provide the information below.
Vigor3900/Vigor2960 supports three binds type for LDAP/AD authentication:
Below we provide examples of using Simple mode and regular mode.
1. Navigate to User Management >> LDAP / Active Directory, and click Add to add a new profile.
2. Configure the LDAP profile
(1) Simple mode
Use this mode when the LDAP/AD server has a simple structure. For example, the LDAP/AD server has only one default user group "Users" under the domain "ms.draytek.com," and all the user accounts are under this group. Then we can configure the profile like the following:
(2) Regular Mode
Use this mode when the LDAP/AD server has multiple levels and required searching to find the path to the user account. For example, there are OU "People" and "Group" under the domain, OU "RD1", "RD2", "RD3" are under the OU "People", OU "MIS", "PQC", "FAE" are under OU "RD1", and we want all the user accounts under OU "People" can be authenticated, then we can configure the profile like the following:
In Regular mode, when there is a user authentication request, the router will use the Regular DN and Password to get authenticated by the LDAP/AD server first (a.k.a. simple bind request). After the authentication succeeded, the router will send a search request and see if there is the user account is under Base DN. If LDAP server replies Entry 0, it means the user account doesn't exist in the Base DN. If the user account exists, the LDAP server will respond with the Entry/Path. With the path, the router will send the bind request to the LDAP server for authenticating the user account.
After the configuration, we can verify LDAP by "Preview."
1. After finishing the configuration of LDAP/AD profile, we can use it for Remote Dial-in clients. Navigate to VPN and Remote Access >> PPP General Setup >> PPTP.
2. Here we use Smart VPN Client as a VPN client. Run Smart VPN client, and click Insert to create a new VPN profile, configure the VPN profile as follows:
3. In PPTP Setup, choose the Authentication method to "PAP". Click OK to save.
Published On: 2016-05-12
Was this helpful?