Configuring RADIUS and LDAP authentication concurrently

Description

This article illustrates a scenario wherein the primary authentication in the SonicWall has been set to LDAP but since LDAP does not usually support CHAP/MSCHAP authentication, L2TP VPN clients and other CHAP/MSCHAP authentication cannot be authenticated by their AD user credentials.

The solution is to configure the new feature RADIUS may also be required for CHAP to automatically divert CHAP/MSCHAP authentications to RADIUS.

This article assumes that L2TP settings have been configured in the SonicWall and describes only the configuration needed for L2TP authentication.Image

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


Creating User Groups and configuring User Management for RADIUS Authentication in Active Directory

  1. Open Active Directory Users and Computers and create a user group in the Users folder.      Image
  2. Create a user and add the user as a member of the new User Group.                                                                Image         
  3. Select the Dial-in tab and enable the Allow access option under Remote Access Permission.                    Image


Configuring the IAS Server to Support RADIUS Clients

  1.  Launch the IAS Console by clicking on Start | All Program | Administrative Tools | Internet Authentication Service. The following IAS console will appear.
  2.  Right click the RADIUS Clients folder in the left pane and select New RADIUS Client from the menu.
  3.  Enter a name for the new RADIUS client and enter the LAN IP Address of the SonicWall.
  4.  Select RADIUS Standard, (also the default option), enter a Shared Secret. This shared secret is needed later on the SonicWall security appliance, so note this for future reference.
  5.  Click Finish.                                                                                                                                                              Image    Image
  6. To setup the access criteria for users, right click on the Remote Access Policies and select New Remote Access Policy.                Image
  7. Click Next on New Policy Wizard. Select  Set up a custom policy  radio button and then enter a name for this policy.
  8. Click Add on the Policy Conditions window.                                                                                                                                               Image
  9. From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate a user who is a member of a User Group in the Windows AD. Image
  10. Click Add, then enter the Windows User Group "Full Access". Click OK.                                                                                                         Image
  11. Back on the New Remote Access Policy window, click Next.                                                                                                                       Image
  12. Select the Grant remote access permission radio button under the option If a connection request matches the specified conditions.   Image
  13. On the Profile window click on the Edit Profile button.                                                                                                                                    Image
  14. The Edit Dial-in Profile window will appear. Click on the Authentication tab.                                                                                                Image
  15. Under the Authentication tab select MS-CHAP-V2, MS-CHAP and PAP as authentication method.                                                              Image
  16. The following message box appears, Click No on the help message box.                                                                                                   Image
  17. Click Next on the Policy Window and then click Finish to complete.

  18.  TIP: This completes the IAS configuration. If you have other groups on the AD that needs different access, you can add more Remote authentication policies.




  19.    

    Enabling Reversibly Encrypted Passwords

     NOTE: Reversibly encrypted passwords are saved during the change-password process, so existing users must change their passwords to use CHAP. For a Windows 2000-based remote access server that is a member of a domain, you can select the Store password using reversible encryption for all users in the domain option on the domain server as described below.


    Alternatively, you can enable reversible storage of passwords for individual users. By using the Directory Services snap-in, you can select this feature through the properties of an individual user. Again, note that reversibly encrypted passwords are saved during the change-password procedure, so existing users must change their passwords to use CHAP.

    Enabling reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Group Policy 

    1. Open Active Directory Users and Computers.
    2. In the console tree, double-click Active Directory Users and Computers, right-click the domain name, and then click Properties.
    3. On the Group Policy tab, click Default Domain Policy, and then click Edit.
    4. In the console tree, click on Windows Settings.
    5. Click Security Settings. 
    6. Click Accounting Policies. 
    7. Click Password Policy.
    8. In the details pane, double-click  Store password using reversible encryption for all users in the domain.
    9. Click Enabled, and then click OK.

    To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Local Security Policy    

    1. Start | Run | gpedit.msc.
    2. In the console tree, select Computer Configuration -| Windows Settings -| Security Settings -| Account Policy-| Password Policy.
    3. Enable Store password using reversible encryption.

Image

Image


Configuring SonicWall User Settings for RADIUS Authentication.

  1. Login to the SonicWall management GUI.
  2. Navigate to Device | Users | Settings.
  3. Click on the Configure button under RADIUS may also be required for CHAP.   Image
  4. Enter the IP address of the RADIUS Server and the Shared Secret for the RADIUS server.
    NOTE:  The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.

  5. Click RADIUS Users tab and select the radio button under Use RADIUS Filter-Id attribute on RADIUS server.
  6. Click Apply and then click on the Test tab. Type in the user name created earlier  (User-1) and enter password and test the authentication.     Image

How to Test

  • Initiate a connection from a remote L2TP client.
  • When prompted for username and password, enter the username "user-1"  and the password set for that user.
  • On successfully connecting after being authenticated, try to ping the IP Address of a host in the LAN.
  • Enter the IP address of the RADIUS Server and the Shared Secret for the RADIUS server. Note: The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.
  • Click on the RADIUS Users tab and select the radio button under Use RADIUS Filter-Id attribute on RADIUS server.
  • Click Apply and then click on the Test tab. Type in the user name created earlier  (User-1) and enter password and test the authentication. 


Image

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


Creating User Groups and configuring User Management for RADIUS Authentication in Active Directory

  1. Open Active Directory Users and Computers and create a user group in the Users folder.
    Image

  2. Create a user and add the user as a member of the new User Group.
    Image

  3. Select the Dial-in tab and enable the Allow access option under Remote Access Permission.
    Image



Configuring the IAS Server to Support RADIUS Clients

  1.  Launch the IAS Console by clicking on Start | All Program | Administrative Tools | Internet Authentication Service. The following IAS console will appear.
  2.  Right click the RADIUS Clients folder in the left pane and select New RADIUS Client from the menu.
  3.  Enter a name for the new RADIUS client and enter the LAN IP Address of the SonicWall.
  4.  Select RADIUS Standard, (also the default option), enter a Shared Secret. This shared secret is needed later on the SonicWall security appliance, so note this for future reference.
  5.  Click Finish.
    Image
    Image

  6. To setup the access criteria for users, right click on the Remote Access Policies and select New Remote Access Policy.
    Image

  7. Click Next on New Policy Wizard. Select  Set up a custom policy  radio button and then enter a name for this policy.
  8. Click Add on the Policy Conditions window.
    Image

  9. From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate a user who is a member of a User Group in the Windows AD.
    Image

  10. Click Add, then enter the Windows User Group "Full Access". Click OK.
    Image 

  11. Back on the New Remote Access Policy window, click Next.
    Image

  12. Select the Grant remote access permission radio button under the option If a connection request matches the specified conditions.
    Image

  13. On the Profile window click on the Edit Profile button.
    Image

  14.  The Edit Dial-in Profile window will appear. Click on the Authentication tab.
    Image

  15.  Under the Authentication tab select MS-CHAP-V2, MS-CHAP and PAP as authentication method.
    Image

  16. The following message box appears, Click No on the help message box.
    Image

  17.  Click Next on the Policy Window and then click Finish to complete.

 TIP: This completes the IAS configuration. If you have other groups on the AD that needs different access, you can add more Remote authentication policies.


Enabling Reversibly Encrypted Passwords

 NOTE: Reversibly encrypted passwords are saved during the change-password process, so existing users must change their passwords to use CHAP. For a Windows 2000-based remote access server that is a member of a domain, you can select the Store password using reversible encryption for all users in the domain option on the domain server as described below.


Alternatively, you can enable reversible storage of passwords for individual users. By using the Directory Services snap-in, you can select this feature through the properties of an individual user. Again, note that reversibly encrypted passwords are saved during the change-password procedure, so existing users must change their passwords to use CHAP.

Enabling reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Group Policy 

  1. Open Active Directory Users and Computers.
  2. In the console tree, double-click Active Directory Users and Computers, right-click the domain name, and then click Properties.
  3. On the Group Policy tab, click Default Domain Policy, and then click Edit.
  4. In the console tree, click on Windows Settings.
  5. Click Security Settings. 
  6. Click Accounting Policies. 
  7. Click Password Policy.
  8. In the details pane, double-click  Store password using reversible encryption for all users in the domain.
  9. Click Enabled, and then click OK.

To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Local Security Policy    

  1. Start | Run | gpedit.msc.
  2. In the console tree, select Computer Configuration -| Windows Settings -| Security Settings -| Account Policy-| Password Policy.
  3. Enable Store password using reversible encryption.
    Image
    Image



Configuring SonicWall User Settings for RADIUS Authentication.

  1. Login to the SonicWall management GUI.
  2. Navigate to Manage | Users | Settings.
  3. Click on the Configure button under RADIUS may also be required for CHAP.
    Image

  4. Enter the IP address of the RADIUS Server and the Shared Secret for the RADIUS server.
     NOTE: The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.

  5. Click  RADIUS Users tab and select the radio button under Use RADIUS Filter-Id attribute on RADIUS server.
  6. Click Apply and then click on the Test tab. Type in the user name created earlier  (User-1) and enter password and test the authentication. 
     Image


How to Test

  • Initiate a connection from a remote L2TP client.
  • When prompted for username and password, enter the username "user-1"  and the password set for that user.
  • On successfully connecting after being authenticated, try to ping the IP Address of a host in the LAN.
  • Enter the IP address of the RADIUS Server and the Shared Secret for the RADIUS server. Note: The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.
  • Click on the RADIUS Users tab and select the radio button under Use RADIUS Filter-Id attribute on RADIUS server.
  • Click Apply and then click on the Test tab. Type in the user name created earlier  (User-1) and enter password and test the authentication. 
     Image






Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.




Creating User Groups and configuring User Management for RADIUS Authentication in Active Directory.

  1. Open Active Directory Users and Computers and create a user group in the Users folder.
    Image

  2. Create a user and add the user as a member of the new User Group.
    Image

  3. Select the Dial-in tab and enable the Allow access option under Remote Access Permission.
    Image


Configuring the IAS Server to Support RADIUS Clients

  1. Launch the IAS Console by clicking on Start | All Program| Administrative Tools | Internet Authentication Service. The following IAS console will appear.
  2. Right click the RADIUS Clients folder in the left pane and select New RADIUS Client from the menu.
  3. Enter a name for the new RADIUS client and enter the LAN IP Address of the SonicWall.
  4. Select RADIUS Standard, (also the default option), enter a Shared Secret. This shared secret is needed later on the SonicWall security appliance, so note this for future reference.
  5. Click Finish.
    Image
    Image

  6. To setup the access criteria for users, right click on the Remote Access Policies and select New Remote Access Policy.
    Image

  7.  Click Next on New Policy Wizard. Select “Set up a custom policy” radio button and then enter a name for this policy.
  8.  Click Add on the Policy Conditions window.
    Image

  9.  From this list, select Windows Groups, and click OK. By selecting Windows Groups, you can authenticate a user who is a member of a User Group in the Windows AD.
    Image

  10.  Click Add, then enter the Windows User Group  Full Access. Click OK.
    Image 

  11.  Back on the New Remote Access Policy window, click Next.
    Image

  12. Select the Grant remote access permission radio button under the option If a connection request matches the specified conditions.
    Image

  13. On the Profile window click Edit Profile.
    Image

  14. The Edit Dial-in Profile window will appear. Click Authentication tab.
    Image

  15. Under the Authentication tab select MS-CHAP-V2, MS-CHAP and PAP as authentication method.
    Image

  16. The following message box appears, Click No on the help message box.
    Image

  17. Click Next on the Policy Window and then click Finish to complete.
  18. This completes the IAS configuration. If you have other groups on the AD that needs different access, you can add more Remote authentication policies.



Enabling Reversibly Encrypted Passwords

NOTE: Reversibly encrypted passwords are saved during the change-password process, so existing users must change their passwords to use CHAP. For a Windows 2000-based remote access server that is a member of a domain, you can select the Store password using reversible encryption for all users in the domain option on the domain server as described below.


Alternatively, you can enable reversible storage of passwords for individual users. By using the Directory Services snap-in, you can select this feature through the properties of an individual user. Again, note that reversibly encrypted passwords are saved during the change-password procedure, so existing users must change their passwords to use CHAP.

Enabling reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Group Policy   

  1. Open Active Directory Users and Computers.
  2. In the console tree, double-click Active Directory Users and Computers, right-click the domain name, and then click Properties.
  3. On the Group Policy tab, click Default Domain Policy, and then click Edit
  4. In the console tree, click Windows Settings.
  5. Click Security Settings.
  6. Click Accounting Policies. 
  7. Click Password Policy..
  8. In the details pane, double-click Store password using reversible encryption for all users in the domain.
  9. Click Enabled, and then click OK.

To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Local Security Policy    

  1. Start | Run | gpedit.msc. 
  2. In the console tree, select Computer Configuration -| Windows Settings -| Security Settings -| Account Policy-| Password Policy.
  3. Enable  Store password using reversible encryption. 
    Image
    Image


Configuring SonicWall User Settings for RADIUS Authentication.


  1. Login to the SonicWall management GUI.
  2. Navigate to Users | Settings.
  3. Click Configure button under RADIUS May Also Be Required for CHAP.
    Image

  4. Enter the IP address of the RADIUS Server and the Shared Secret for the RADIUS server.
    NOTE:  The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.

  5. Click RADIUS Users tab and select the radio button under Use RADIUS Filter-Id attribute on RADIUS server.
  6. Click Apply and then click on the Test tab. Type in the user name created earlier  (User-1) and enter password and test the authentication. 
     Image



How to Test

  • Initiate a connection from a remote L2TP client.
  • When prompted for username and password, enter the username "user-1" and the password set for that user.
  • On successfully connecting after being authenticated, try to ping the IP Address of a host in the LAN.


Related Articles

  • TOTP based two-factor authentication for management by Admin user using SonicOS API
    Read More
  • Two-factor authentication using TOTP for Management by User with admin privileges
    Read More
  • How do I configure Two-factor authentication for the Admin login with TOTP?
    Read More

Categories

Firewalls
TZ Series
User Login
Firewalls
NSa Series
User Login
Firewalls
NSv Series
User Login
not finding your answers?
Ask the Community
was this article helpful?
YesNo