Jump to:navigation, search
Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht




















































De.png
En.png
Fr.png






AD connection of users and groups regarding SSL-VPN
Last adaption: 12.2023
New:
notempty
This article refers to a Resellerpreview


Introduction

Users and groups can be connected to an SSL-VPN connection via AD attribute.


User authentication via the UTM with Active Directory for SSL-VPN

Certificate configuration

Under → Authentication →Users the selected certificates of the respective users and the groups are checked

No certificate selected for a user
  • In the User tab, the Edit button opens the dialog
  • Switch to SSL-VPN tab
  • For the parameter Client-certificate:, no certificate must be selected

If a certificate is selected in Client-certificate and it cannot be removed, the following command is entered in the CLI user attribute set name "user" attribute "openvpn_certificate" value 0

No certificate selected with the group
  • In the Groups tab, the Edit button opens the dialog
  • Switch to the SSL-VPN tab
  • For the Client-certificate: parameter, no certificate must be selected

If a certificate is selected in Client-certificate and it cannot be removed, the following command is entered in the CLI user group attribute set name "group" attribute "openvpn_certificate" value 0

Example certificate of the user Alice
notempty
For each user who should have access via the SSL-VPN connection, one certificate is created.


Via → Authentication →CertificatesTab Certificates a certificate is created for a user using the Add certificate button.


notempty
The chosen name of this certificate is required as AD attribute


Attributes in Active Directory

The UTM is connected to the Active Directory. Instructions for this can be found in this Wiki article Active Directory Connection. An unused attribute in the Active Directory scheme is required. The certificate name of the user is stored in it.

AD advanced settings

A list of attributes can be found in the Active Directory under Active Directory Users and Computers.
But for this it is necessary to activate the menu item Advanced Features under View.

AD Attribut-Editor

Open "Properties" for the desired user. Switch to the tab Attribute Editor. There is the list with the attributes.
In this example the attributes extensionAttribute1 - 15 are available. Select one of these attributes by storing the certificate name as an attribute for the user.

notempty
New attributes can also be created. However, this is an intervention in the AD scheme which leads to the fact that the AD can no longer be used.


Enter attribute in the UTM

The name of the attribute from the AD with the certificate name must be entered into the UTM.
In the menu → Authentication →AD/LDAP Authentication switch to the dialog Extended.

Caption Value Description UTM v12.5.1 AD-LDAP Erweitert SSL-VPN-Attribut-en.png
AD SSL-VPN attribute
SSL-VPN-Attribute (IPv4): extensionAttribute10 Optional The IP address within the SSL VPN tunnel. If the value is not set, an IP address is assigned.
SSL-VPN-Attribute (IPv6): extensionAttribute11 Optional The IPv6 address within the SSL VPN tunnel. If the value is not set, an IPv6 address is assigned.
Cert-Attribute:
extensionAttribute12 The name of the attribute from the AD is entered with the certificate name. notempty
If this value is not set, an SSL VPN connection is not possible!
Click the Save button to save the entries.