VPN with AD authentication

Home Page Forums Network Management ZeroShell VPN with AD authentication

This topic contains 3 replies, has 0 voices, and was last updated by  ultimoblaze 3 years, 4 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #44399

    ultimoblaze
    Member

    Hi,

    I’m trying to set up Zeroshell OpenVPN using my local domain controller for user authentication, I just don’t understand how to do it. Can anybody walk me through the steps?

    Thanks,
    Ultimoblaze

    #53911

    gordonf
    Member

    I’ve managed to make some third-party things authenticate against Active Directory using Lightweight Directory Access Protocol. For instance I got Openfire Chat to work, and I got some photocopiers to allow access based on AD accounts. Zeroshell isn’t as straight forward; my first attempt didn’t work well.

    I think (though I don’t know) that you could use either LDAP or Kerberos Protocol, but not both. You would make the local LDAP or Kerberos server a proxy for your Active Directory domain, much like you could make ZS DNS use your domain controllers as DNS forwarders. Actually, making K5 or LDAP work right would first require making DNS forwarding work, at least for your AD domain.

    #53912

    ultimoblaze
    Member

    I’ve gotten the DNS forwarding to work. That wasn’t as difficult to figure out. I’m a novice though at authentication protocols. I don’t understand how to get the cross authentication to work.

    My configuration is as follows. The Zeroshell box has the K5 realm as ABC.com. It’s hostname is zeroshell. the LDAP base is dc=ABC,dc=com. I don’t understand what each of these do, other than hostname. My AD domain is ABC.com and the AD controller is server1.ABC.com.

    Given this information, how can I have the zeroshell box accept openVPN connections authenticated against the AD accounts? Is there something I have to do on the AD controller side?

    Thanks,
    Ultimoblaze

    #53913

    ultimoblaze
    Member

    I found out I need to create a trust relationship on the AD side. I did this and entered the same password as on the Zeroshell machine. I still cannot get it to authenticate against the AD though. Has anybody done this successfully?

    Thanks,
    Ultimoblaze

    #53914

    ultimoblaze
    Member

    Here is some more information. First are my realm setup and cross authentication setup. Then my VPN setup and then the VPN log when trying to login.



    15:47:38 	Re-using SSL/TLS context
    15:47:38 LZO compression initialized
    15:47:38 TCP connection established with 24.33.70.89:56504
    15:47:38 TCPv4_SERVER link local: [undef]
    15:47:38 TCPv4_SERVER link remote: 24.33.70.89:56504
    15:47:40 24.33.70.89:56504 [administrator@SLI.COM] Trying Kerberos 5 (Trusted KDC) authentication
    15:47:40 24.33.70.89:56504 [administrator@SLI.COM] Kerberos 5 authentication failed: host/zeroshell.sli.lan@SLI.LAN: Server not found in Kerberos database while getting credentials
    15:47:40 24.33.70.89:56504 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 11
    15:47:40 24.33.70.89:56504 TLS Auth Error: Auth Username/Password verification failed for peer

    Does anybody have any suggestions?

    Thanks,
    Ultimoblaze

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.