VPN with AD authentication

Forums Network Management ZeroShell VPN with AD authentication

  • This topic is empty.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • October 13, 2015 at 11:09 pm #44399
    ultimoblaze
    Member

    Hi,

    I’m trying to set up Zeroshell OpenVPN using my local domain controller for user authentication, I just don’t understand how to do it. Can anybody walk me through the steps?

    Thanks,
    Ultimoblaze

    October 14, 2015 at 1:16 pm #53911
    gordonf
    Member

    I’ve managed to make some third-party things authenticate against Active Directory using Lightweight Directory Access Protocol. For instance I got Openfire Chat to work, and I got some photocopiers to allow access based on AD accounts. Zeroshell isn’t as straight forward; my first attempt didn’t work well.

    I think (though I don’t know) that you could use either LDAP or Kerberos Protocol, but not both. You would make the local LDAP or Kerberos server a proxy for your Active Directory domain, much like you could make ZS DNS use your domain controllers as DNS forwarders. Actually, making K5 or LDAP work right would first require making DNS forwarding work, at least for your AD domain.

    October 22, 2015 at 11:43 pm #53912
    ultimoblaze
    Member

    I’ve gotten the DNS forwarding to work. That wasn’t as difficult to figure out. I’m a novice though at authentication protocols. I don’t understand how to get the cross authentication to work.

    My configuration is as follows. The Zeroshell box has the K5 realm as ABC.com. It’s hostname is zeroshell. the LDAP base is dc=ABC,dc=com. I don’t understand what each of these do, other than hostname. My AD domain is ABC.com and the AD controller is server1.ABC.com.

    Given this information, how can I have the zeroshell box accept openVPN connections authenticated against the AD accounts? Is there something I have to do on the AD controller side?

    Thanks,
    Ultimoblaze

    January 15, 2016 at 1:34 am #53913
    ultimoblaze
    Member

    I found out I need to create a trust relationship on the AD side. I did this and entered the same password as on the Zeroshell machine. I still cannot get it to authenticate against the AD though. Has anybody done this successfully?

    Thanks,
    Ultimoblaze

    January 29, 2016 at 8:56 pm #53914
    ultimoblaze
    Member

    Here is some more information. First are my realm setup and cross authentication setup. Then my VPN setup and then the VPN log when trying to login.



    15:47:38 	Re-using SSL/TLS context
    
15:47:38 	LZO compression initialized
    
15:47:38 	TCP connection established with 24.33.70.89:56504
    
15:47:38 	TCPv4_SERVER link local: [undef]
    
15:47:38 	TCPv4_SERVER link remote: 24.33.70.89:56504
    
15:47:40 	24.33.70.89:56504 [administrator@SLI.COM] Trying Kerberos 5 (Trusted KDC) authentication
    
15:47:40 	24.33.70.89:56504 [administrator@SLI.COM] Kerberos 5 authentication failed: host/zeroshell.sli.lan@SLI.LAN: Server not found in Kerberos database while getting credentials
    
15:47:40 	24.33.70.89:56504 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 11
    
15:47:40 	24.33.70.89:56504 TLS Auth Error: Auth Username/Password verification failed for peer

    Does anybody have any suggestions?

    Thanks,
    Ultimoblaze

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.