SonicOS: Enabling RADIUS to LDAP Relay for L2TP Authentication on SonicOS Enhanced

LDAP does not usually support CHAP/MSCHAP authentication (Microsoft Active Directory and Novell eDirectory do not). The SonicWall will automatically divert CHAP/MSCHAP authentications to RADIUS if LDAP does not support it and RADIUS is configured, so configure RADIUS if that is the case and L2TP server or VPN client connections are to use CHAP/MSCHAP.

The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWall with remote satellite sites connected into it via low-end SonicWall security appliances that may not support LDAP. In that case the central SonicWall can operate as a RADIUS server for the remote SonicWalls, acting as a gateway between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server.

Alert:

• The RADIUS client on the remote sonicWALLs should be configured to use port 1812 and the shared secret below (See step 7) 
• On remote sonicWALLs running SonicOS enhanced firmware, select “Use SonicWall vendor-specific attribute on RADIUS server’ on the RADIUS Users tab

To enable this feature it is necessary to select the option "Enable RADIUS to LDAP Relay" within the LDAP configuration on the central SonicWall, follow these steps:

1. Login to the SonicWall Management Interface
2. Select Users > Settings.
3. Choose LDAP under Authentication method for login: drop down list.
4. Click the Configure button, and then select the LDAP Relay tab.
5. Check the "Enable RADIUS to LDAP Relay" box 
6. Allow RADIUS clients to connect via – Check the relevant checkboxes and policy rules will be added to allow incoming RADIUS requests accordingly (The options are: Trusted Zones, WAN Zone, Public Zones, Wireless Zones, VPN Zone) 
7. RADIUS shared secret – This is a shared secret common to all remote SonicWalls.

Additionally, for remote SonicWalls running non-enhanced firmware, with this feature the central SonicWall can return legacy user privilege information to them based on user group memberships learned via LDAP. This avoids what can be very complex configuration of an external RADIUS server such as IAS for those SonicWalls.

–         User groups for legacy VPN users – Defines the user group that corresponds to the legacy ‘Access to VPNs’ privileges. When a user in this user group is authenticated, the remote SonicWall is notified to give the user the relevant privileges.

–         User groups for legacy VPN client users – Defines the user group that corresponds to the legacy ‘Access from VPN client with XAUTH’ privileges. When a user in this user group is authenticated, the remote SonicWall is notified to give the user the relevant privileges

–         User groups for legacy L2TP users – Defines the user group that corresponds to the legacy ‘Access from L2TP VPN client’ privileges. When a user in this user group is authenticated, the remote SonicWall is notified to give the user the relevant privileges.

–         User groups for legacy users with Internet access – Defines the user group that corresponds to the legacy ‘Allow Internet access (when access is restricted)’ privileges. When a user in this user group is authenticated, the remote SonicWall is notified to give the user the relevant privileges.

8. Click OK

Note: The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable.

Source: SonicOS Enhanced 4.0 Administrator Guide