Can't get AAA Server -> Active Directory to work

I'm trying to set up AD user validation for SSL VPN connections.

I have earlier succeeded this on a VPN50, and a Windows SBS connected to same subnet, if that matters.

Now I'm trying to set up a VPN100 located at our office location, to validate users on a Windows Server 2016 DC, located at our external hosting partner.

I have filled in server address (primary DC IP), backup server address (backup DC IP), Base DN, Bind DN and password, but when using the configuration validation option in the bottom, I reciewe a "Wrong IP or Port" as result.

As I can identify, the default port (389) has not been changed on the DC.

Before I suggest that something must be wrong at our hosting partner, I would like to be quite sure, that I have made the configuration proper.

When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see something?

Every suggestions on what could be wrong appreciated.

BR Ole.

Tagged:

Accepted Solution

  • Zyxel_JerryZyxel_Jerry Zyxel Official Agent Posts: 276  mod
    Accepted Answer

    Hi @OWB

    Can you ping from the device the server successfully?

    Or you may try to add a static route as below:

    As an AD client role, the device will mainly to verify if the account is valid or not.

    Regarding to the failure reason, we need your help to check the log on the AD server, meanwhile, can you collect the packets and share with us when you’re running AD authentication?

    OWB

All Replies

  • Zyxel_JerryZyxel_Jerry Zyxel Official Agent Posts: 276  mod

    Hi @OWB

    Welcome to Zyxel community 

    Could you private message your configuration for check further?

     

  • OWBOWB Member Posts: 8

    Thanks @Zyxel_Jerry

    Yes, guess I can. Should I just download "startup-config.config and attach it to a private message to you?

    BR Ole.

  • Zyxel_JerryZyxel_Jerry Zyxel Official Agent Posts: 276  mod

    Hi @OWB

    I’ve checked your configuration, there is no problem with it,

    The previous you mentioned that after performing the “configuration validation” the result show ” Wrong IP or PORT”.

    Could you please check the connection on VPN tunnel?

    Could you ping the IP address of the server ?

    If it still cannot connect to the server, try to disable the firewall rule and ping server again.

  • OWBOWB Member Posts: 8

    Hi Jerry,

    No problem, I can ping the DC, and the VPN is definitely running. All of our local IT (Microsoft Outlook, network shares, print etc.) is using servers in "the other end" of the VPN.

    In the beginning, I did suspekt that the DC was set up to user other than default port (389), but from what I can identify, it seems not to be the issue.

    When looking the log right after performing the "configuration validation", I'm a little surprised that nothing seems to be logged in connection with the validation. Shouldn't I see some log entry in Monitor->Log, even it has failed or not?

    BR O

  • OWBOWB Member Posts: 8

    Hi Jerry,

    Apologies for my absence.

    Thanks a lot, setting the static route as suggested did the trick, it's now working. :-)

    BR O

Sign In to comment.