Two Factor Authentication with Active Directory User

On the Zywall 110 with the latest firmware I was able to successfully setup 2 SSLVPN with Active Directory authentication. However, I can't get 2 factor authentication to work by e-mail or mobile. Both fields (mail and mobile) are populated in the active directory, however in the log I still get the following error:


info Authentication Server Can't get email from user: ADUSER

info Authentication Server Can't get mobile from user: ADUSER


Any ideas?

Tagged:
«13

All Replies

  • Zyxel_VicZyxel_Vic Zyxel Official Agent Posts: 145  mod

    Hi @Romeo

    Some information need your help to confirm

    1. Will reboot the device recover this issue or this symptom will just exist all the time
    2. What firmware version are you currently using
    3. How many users (and average concurrent users) will use SSL VPN to make the connection


  • Hello,

    We have the same problem.

    He manages to recover emails and therefore it works in L2TP / IPSEC, but from the same AD group, it does not work in SSL / VPN.

    Model: ATP500

    Firmware: V4.35 (ABFU.3) / 2020-02-26 16:56:26

    With the coronavirus, we had to put this in place. It would be good if this issue is resolved as quickly as possible. Thank you.

  • RomeoRomeo Member Posts: 7
    edited March 24, 2020 6:51AM

    Hi @Zyxel_Vic

    1. Rebooting does not help
    2. V4.35(AAAA.3)
    3. 15 total, 5-10 average concurrent users (not sure how this would relate to the issue?)

    Please note that our Active Directory is based on Windows Server 2019 and another member of Zyxel support staff mentioned that Windows Server 2019 is not supported yet and this won't be fixed before the end of this year?? If that is true Zyxel can't be serious, first of all Windows Server has been out since nearly 2 years and secondly the relevant AD/LDAP fields (mail and mobile) have not changed? Can you shed some light on this?

  • conectiaconectia Member Posts: 4
    edited March 24, 2020 4:19PM

    For your information, our Active Directory is based on Windows Server 2008 R2 and we have exactly the same problem. We have 150 customers at Zyxel, I can test this configuration with one of our customers.

    Romeo
  • RomeoRomeo Member Posts: 7

    Thanks for your feedback, conectia. That means the support agent just made something up to close the ticket, even better. Zyxel could you please get your act together and fix this asap?

  • Yes, because if you have time to create an L2TP / IPSEC VPN connection and you apply two factor authentication on the same group as that used by your SSL / VPN connection, it works. So the zyxel is quite capable of reading the email field of the AD user. In addition, when you go to the user menu and you test an AD user of the group, you see all the LDAP fields returned, and therefore that of the email included.

  • RomeoRomeo Member Posts: 7

    Exactly, when I test the AD user I see all of the LDAP fields, including mail and mobile. Must be a bug in their SSL-VPN functionality.

  • Zyxel_JerryZyxel_Jerry Zyxel Official Agent Posts: 273  mod

    Hi @conectia @Romeo ,

    Can you collect diagnose info on the device when trying to access the tunnel and private message for check further?

    Here is the step to collect diagnose info

    USG series

    Go to Maintenance > Diagnostics > Diagnostics > Collect > click Collect Now

    It will take 5~10 minutes to collect

    After done the collection.

    Go to Maintenance > Diagnostics > Diagnostics > Files to download the files and private message to us.

    ATP series

    Go to Maintenance > Diagnostics > Diagnostics > Collect > click Collect Now

    It will take 5~10 minutes to collect

    After done the collection. 

    Go to Maintenance > Diagnostics > Diagnostics > Files to download the files and private message to us.


  • RomeoRomeo Member Posts: 7

    I've sent you the debug file, however I have now the issue that two factor authentication suddenly STOPPED WORKING entirely! Users can just login WITHOUT any two factor authentication, even though it is enabled and correctly setup, nothing has been changed in the configuration. The SMTP and SMS gateways both work fine. This is a serious security issue and I slowly start to regret using Zyxel.

Sign In to comment.