Two Factor Authentication with Active Directory User

Romeo
Romeo Posts: 7
Friend Collector First Comment
edited April 2021 in Security

On the Zywall 110 with the latest firmware I was able to successfully setup 2 SSLVPN with Active Directory authentication. However, I can't get 2 factor authentication to work by e-mail or mobile. Both fields (mail and mobile) are populated in the active directory, however in the log I still get the following error:


info Authentication Server Can't get email from user: ADUSER

info Authentication Server Can't get mobile from user: ADUSER


Any ideas?

«13

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Romeo

    Some information need your help to confirm

    1. Will reboot the device recover this issue or this symptom will just exist all the time
    2. What firmware version are you currently using
    3. How many users (and average concurrent users) will use SSL VPN to make the connection


  • conectia
    conectia Posts: 6
    First Anniversary Friend Collector First Comment

    Hello,

    We have the same problem.

    He manages to recover emails and therefore it works in L2TP / IPSEC, but from the same AD group, it does not work in SSL / VPN.

    Model: ATP500

    Firmware: V4.35 (ABFU.3) / 2020-02-26 16:56:26

    With the coronavirus, we had to put this in place. It would be good if this issue is resolved as quickly as possible. Thank you.

  • Romeo
    Romeo Posts: 7
    Friend Collector First Comment
    edited March 2020

    Hi @Zyxel_Vic

    1. Rebooting does not help
    2. V4.35(AAAA.3)
    3. 15 total, 5-10 average concurrent users (not sure how this would relate to the issue?)

    Please note that our Active Directory is based on Windows Server 2019 and another member of Zyxel support staff mentioned that Windows Server 2019 is not supported yet and this won't be fixed before the end of this year?? If that is true Zyxel can't be serious, first of all Windows Server has been out since nearly 2 years and secondly the relevant AD/LDAP fields (mail and mobile) have not changed? Can you shed some light on this?

  • conectia
    conectia Posts: 6
    First Anniversary Friend Collector First Comment
    edited March 2020

    For your information, our Active Directory is based on Windows Server 2008 R2 and we have exactly the same problem. We have 150 customers at Zyxel, I can test this configuration with one of our customers.

  • Romeo
    Romeo Posts: 7
    Friend Collector First Comment

    Thanks for your feedback, conectia. That means the support agent just made something up to close the ticket, even better. Zyxel could you please get your act together and fix this asap?

  • conectia
    conectia Posts: 6
    First Anniversary Friend Collector First Comment

    Yes, because if you have time to create an L2TP / IPSEC VPN connection and you apply two factor authentication on the same group as that used by your SSL / VPN connection, it works. So the zyxel is quite capable of reading the email field of the AD user. In addition, when you go to the user menu and you test an AD user of the group, you see all the LDAP fields returned, and therefore that of the email included.

  • Romeo
    Romeo Posts: 7
    Friend Collector First Comment

    Exactly, when I test the AD user I see all of the LDAP fields, including mail and mobile. Must be a bug in their SSL-VPN functionality.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,028  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @conectia @Romeo ,

    Can you collect diagnose info on the device when trying to access the tunnel and private message for check further?

    Here is the step to collect diagnose info

    USG series

    Go to Maintenance > Diagnostics > Diagnostics > Collect > click Collect Now

    It will take 5~10 minutes to collect

    After done the collection.

    Go to Maintenance > Diagnostics > Diagnostics > Files to download the files and private message to us.

    ATP series

    Go to Maintenance > Diagnostics > Diagnostics > Collect > click Collect Now

    It will take 5~10 minutes to collect

    After done the collection. 

    Go to Maintenance > Diagnostics > Diagnostics > Files to download the files and private message to us.


  • conectia
    conectia Posts: 6
    First Anniversary Friend Collector First Comment

    done

  • Romeo
    Romeo Posts: 7
    Friend Collector First Comment

    I've sent you the debug file, however I have now the issue that two factor authentication suddenly STOPPED WORKING entirely! Users can just login WITHOUT any two factor authentication, even though it is enabled and correctly setup, nothing has been changed in the configuration. The SMTP and SMS gateways both work fine. This is a serious security issue and I slowly start to regret using Zyxel.

Security Highlight