SSL-VPN with AD connection

AD connection of users and groups regarding SSL-VPN

Last adaptation to the version: 12.6.0

New:

Updating the AD attributes that are entered in the UTM
Enter additional parameter Cert attributes for attribute in the UTM
Updated to Redesign of the webinterface

Last updated:

12.2023

notempty

This article refers to a Beta version

12.5.2

Introduction

Users and groups can be connected to an SSL-VPN connection via AD attribute.

User authentication via the UTM with Active Directory for SSL-VPN

Certificate configuration

Edit User UTMuser@firewall.name.fqdn AuthenticationUser No certificate selected for a user Under Authentication Users the selected certificates of the respective users and the groups are checked

In the User range, the Edit button opens the dialog
Switch to SSL-VPN range
For the parameter Client-certificate:, no certificate must be selected

If a certificate is selected in Client-certificate and it cannot be removed, the following command is entered in the CLI user attribute set name "user" attribute "openvpn_certificate" value 0
Edit Group UTMuser@firewall.name.fqdn AuthenticationUser No certificate selected with the group

In the Groups range, the Edit button opens the dialog
Switch to the SSL-VPN range
For the Client-certificate: parameter, no certificate must be selected

If a certificate is selected in Client-certificate and it cannot be removed, the following command is entered in the CLI user group attribute set name "group" attribute "openvpn_certificate" value 0
Certificates UTMuser@firewall.name.fqdnAuthentication Example certificate of the user Alice

notempty

For each user who should have access via the SSL-VPN connection, one certificate is created.

Via Authentication Certificates Area Certificates a certificate is created for a user using the Add certificate button.

notempty

The chosen name of this certificate is required as AD attribute

Attributes in Active Directory

The UTM is connected to the Active Directory. Instructions for this can be found in this Wiki article Active Directory Connection. An unused attribute in the Active Directory scheme is required. The certificate name of the user is stored in it. A list of attributes can be found in the Active Directory under Active Directory Users and Computers.
But for this it is necessary to activate the menu item Advanced Features under View.

Open "Properties" for the desired user. Switch to the tab Attribute Editor. There is the list with the attributes.
In this example the attributes extensionAttribute1 - 15 are available. Select one of these attributes by storing the certificate name as an attribute for the user.

notempty

New attributes can also be created. However, this is an intervention in the AD scheme which leads to the fact that the AD can no longer be used.

Enter attribute in the UTM

The name of the attribute from the AD with the certificate name must be entered in the UTM.
In the menu Authentication AD/LDAP Authentication switch to the dialog Extended.

Caption	Value	Description	AD/LDAP authentication UTMuser@firewall.name.fqdnAuthentication Wizard AD SSL-VPN attribute
SSL-VPN-Attribute (IPv4):	extensionAttribute10	Optional The IP address within the SSL VPN tunnel. If the value is not set, an IP address is assigned.
SSL-VPN-Attribute (IPv6):	extensionAttribute11	Optional The IPv6 address within the SSL VPN tunnel. If the value is not set, an IPv6 address is assigned.
Cert-Attribute:	extensionAttribute12	The name of the attribute from the AD is entered with the certificate name. notempty If this value is not set, an SSL VPN connection is not possible!
Click the Save button to save the entries.