DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Active Directory setup
- basmistry
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
19 Sep 2013 08:18 #77721
by basmistry
Active Directory setup was created by basmistry
I'm trying to setup AD integration with 2830 Router - unsuccessfully so far
The FAQ docs have very limited info
This is a new install with simple AD - just 1 user plus administrator
no groups so far...
What do I put in for AD settings - I'm a bit new to AD ?
Appreciate any help / pointers - step by step would be great !
The FAQ docs have very limited info
This is a new install with simple AD - just 1 user plus administrator
no groups so far...
What do I put in for AD settings - I'm a bit new to AD ?
Appreciate any help / pointers - step by step would be great !
Please Log in or Create an account to join the conversation.
- iamq-yesiam
- Offline
- Junior Member
Less
More
- Posts: 68
- Thank you received: 0
25 Sep 2013 18:31 #77781
by iamq-yesiam
Replied by iamq-yesiam on topic Re: Active Directory setup
Have a look for LDAP Explorer on google and check you can view your AD schema/users from a PC.
Most AD problems I've seen are to do with anonymous binding by the device to the AD server and it can't read out the user details or gets an error which it can't display.
I've not done any integration with a Draytek & an AD system as yet... Sorry
Most AD problems I've seen are to do with anonymous binding by the device to the AD server and it can't read out the user details or gets an error which it can't display.
I've not done any integration with a Draytek & an AD system as yet... Sorry
Please Log in or Create an account to join the conversation.
- mxw
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
02 Nov 2013 13:17 #78108
by mxw
Replied by mxw on topic Re: Active Directory setup
Hi,
This the benefit of those who are unaware on how this works, I will explain roughly how it was described to me. Please do not mistake this for fact, its just an outline and should be treated as such. My intention is to get people working and then allow them to tweek and tighten security as they go along and learn more.
I will only explain the AD aspect for now in relation to VPN.
So firstly some prep work is needed on your AD. For the sake of ease locate the default administrator account on your domain and copy this account, I named mine draytek. Once created we then want to find out its DN (distinguished name) this can be found by opening cmd and doing the below:
dsquery user -name draytek*
This outputs: "CN=Draytek,OU=Administrators,OU=Home,DC=mydomain,DC=local"
Make a note of this and the password you set for the user and we will use it later. Next step is to create a security group called SSL_VPN and create a test user. In this case I called mine tester and gave it the password of testing. Then I made this user a member of the SSL_VPN group.
Now I want to explain how authentication actually works. So for augments sake lets say you've set-up your VPN and now your at the login page. You enter in the username/password for the test account you created and selected the SSL group. What happens is the router uses the draytek admin account to query the directory for the user. Once found, the draytek account will be used to attempt a password reset and it will give over the password you entered. If the AD responds with set new password, the router knows the password was correct and authenticates you. If the AD returns a rejection the router knows the password you gave was wrong. So in essence the reason your using a admin account is because of how 3rd parties tend to authenticate username/password with AD. Simple and slightly odd but effective for the purpose.
Next download LDAP explorer 2.
Configurations > new > enter in the details and test the connection. If successful your good to go, if not check all the details.
Now lets setup the draytek
Applications > Active Directory /LDAP > General
enable
Enter the IP address that is assigned to your AD
BIND type: Regular
Enter the Regular DN we obtained earlier and the password.
Click OK
Profiles >
Name: standard
Common Name Identifier: CN
Base Distinguished Name: CN=SSL_VPN,OU=Security Groups,OU=Home,DC=mydomain,DC=local
*NOTE* Click the magnifying glass and this will use the draytek user to browse your AD. Find and select the security group we created earlier called
SSL_VPN and do the same for the next one, but this time selecting the OU which the security group sits in.
Group Distinguished Name: OU=Security Groups,OU=Home,DC=mydomain,DC=local
Now it is just a case of following the setup guide for SSL VPN. If anyone has found this useful I will write up the next bit.
This the benefit of those who are unaware on how this works, I will explain roughly how it was described to me. Please do not mistake this for fact, its just an outline and should be treated as such. My intention is to get people working and then allow them to tweek and tighten security as they go along and learn more.
I will only explain the AD aspect for now in relation to VPN.
So firstly some prep work is needed on your AD. For the sake of ease locate the default administrator account on your domain and copy this account, I named mine draytek. Once created we then want to find out its DN (distinguished name) this can be found by opening cmd and doing the below:
dsquery user -name draytek*
This outputs: "CN=Draytek,OU=Administrators,OU=Home,DC=mydomain,DC=local"
Make a note of this and the password you set for the user and we will use it later. Next step is to create a security group called SSL_VPN and create a test user. In this case I called mine tester and gave it the password of testing. Then I made this user a member of the SSL_VPN group.
Now I want to explain how authentication actually works. So for augments sake lets say you've set-up your VPN and now your at the login page. You enter in the username/password for the test account you created and selected the SSL group. What happens is the router uses the draytek admin account to query the directory for the user. Once found, the draytek account will be used to attempt a password reset and it will give over the password you entered. If the AD responds with set new password, the router knows the password was correct and authenticates you. If the AD returns a rejection the router knows the password you gave was wrong. So in essence the reason your using a admin account is because of how 3rd parties tend to authenticate username/password with AD. Simple and slightly odd but effective for the purpose.
Next download LDAP explorer 2.
Configurations > new > enter in the details and test the connection. If successful your good to go, if not check all the details.
Now lets setup the draytek
Applications > Active Directory /LDAP > General
enable
Enter the IP address that is assigned to your AD
BIND type: Regular
Enter the Regular DN we obtained earlier and the password.
Click OK
Profiles >
Name: standard
Common Name Identifier: CN
Base Distinguished Name: CN=SSL_VPN,OU=Security Groups,OU=Home,DC=mydomain,DC=local
*NOTE* Click the magnifying glass and this will use the draytek user to browse your AD. Find and select the security group we created earlier called
SSL_VPN and do the same for the next one, but this time selecting the OU which the security group sits in.
Group Distinguished Name: OU=Security Groups,OU=Home,DC=mydomain,DC=local
Now it is just a case of following the setup guide for SSL VPN. If anyone has found this useful I will write up the next bit.
Please Log in or Create an account to join the conversation.
- helms
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
01 Feb 2014 13:53 #78917
by helms
Replied by helms on topic Re: Active Directory setup
Hi, great set of instructions, but what if your server has a CA Certificate????
When I use the LDAP browser before it shows me AD it asks if I accept the certificate or not....
But on the router setup there is not option to do this......
I have installed the cert on the router as trusted CA cert, but still LDAP fails with this error
AD/LDAP Server "ServerIP":636
Query failed: [Bind Ldap Server] send bind request error.
Query List Tree Menu
Steve
When I use the LDAP browser before it shows me AD it asks if I accept the certificate or not....
But on the router setup there is not option to do this......
I have installed the cert on the router as trusted CA cert, but still LDAP fails with this error
AD/LDAP Server "ServerIP":636
Query failed: [Bind Ldap Server] send bind request error.
Query List Tree Menu
Steve
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek