USG NGFW VPN LDAP authentication

Publication Date:  2015-12-31 Views:  692 Downloads:  0
Issue Description

Before Software release V100R001C30 was not possible to authenticate user based on a single or multiple OU and/or security group stored in a LDAP directory server.

Configuring LDAP authentication, for the VPN users, all the user inside the LDAP tree will be able to connect themselves to VPN service, L2TP/IPSEC for example.

There is not way to set and use a "LDAP filter" to authenticate only users belong to a single "security group" or "OU".



Solution

After V100R001C30 release configure authentication based on LDAP filtered users/groups is possible justusing standard LDAP filter inside the LDAP Server template configuration:

In the template below only users member of VPN security group can connect to VPN:

ldap-server template LDAP_SERVER_FILTERED
ldap-server authentication XXX.XXX.XXX.XXX 389
ldap-server authentication base-dn dc=CONTOSO,dc=LOCAL
ldap-server authentication manager cn=Administrator,cn=users %$%$OOHgYqotgQV,_F"``0*TGf]T%$%$ %$%$OOHgYqotgQV,_F"``0*TGf]T%$%$
ldap-server group-filter ou
ldap-server authentication-filter (&(objectclass=*)(memberOf=cn=VPN,ou=Groups,dc=CONTOSO,dc=LOCAL))
ldap-server user-filter cn
ldap-server ip-address-filter VIP mask-filter VIPMask
ldap-server server-type ad
#

L2TP/IPSEC configuration Omitted.....

domain default
  authentication-scheme ldap
  ldap-server LDAP_SERVER_FILTERED
  service-type access internet-access administrator-access
  ip pool 0 192.168.250.2 192.168.250.254
  reference user current-domain
  new-user add-temporary group /default auto-import import_ldap


It's possible to use complex filter based on LDAP standard. Please refer to external documentation RFC4515 and RFC2254.


Note: The configuration can be used not only for the VPN users access authentication.

END