8 Replies Latest reply on Mar 7, 2013 5:47 PM by grinder

    VPN With Active Directory???


      I am trying to setup VPN connection to work with Active Directory.  I have a DOMAIN authenticator setup, active passport using that authenticator, and I have the ISAKMP server setup to use the DOMAIN authenticator.  I have the VPN definition to use XAUTH + Single Certificate.  I am using ShrewSoft as the VPN client.  I see the request at the Domain controller but it fails.  I think it is because of the Domain name being passed.  It shows the domain as SMBlib_dom instead of the real domain name.  Has anyone got this to work or know what I might be doing wrong? I know the account name and password is good.



        • 1. Re: VPN With Active Directory???

          Do not set an authenticator on the ISAKMP rule.  You need to set XAUTH to use the DOMAIN authenticator under the VPN Configuration -> ISAKMP Server section (version 8).

          • 2. Re: VPN With Active Directory???

            I do not have any Authenticator configured for the Policy Rule on the ISAKMP server.  I DO have the DOMAIN authenticator selected on the ISAKMP Server setup page.

            • 3. Re: VPN With Active Directory???

              What is the domain configured on the PC you are testing this from?


              From the firewall's perspective it is trying the authentication and it's failing.  There is not much from the firewall's side that you can do to troubleshoot why the authentication is failing (the audit will not tell you why).  Tcpdumps might show something, but you'll need to troubleshoot this on the AD server also.

              • 4. Re: VPN With Active Directory???

                The PC I am testing this from is a member of the domain I am trying to authenticate against.  I believe it has to do with the Domain name being passed because the security logs on the domain controller does not show the correct domain name.  See my first post.  What is the process to get tcpdumps on the firewall?


                Message was edited by: grinder on 3/6/13 10:30:21 AM CST
                • 5. Re: VPN With Active Directory???

                  The firewall passes the domain the PC sends to it.


                  Here is a good tcpdump primer:  http://danielmiessler.com/study/tcpdump/


                  $> tcpdump -npi interface_name -s0 -w file.cap

                  - Transfer the file off the firewall and open it in Wireshark


                  Or you can use the tcpdump section in the GUI under Tools (in the menu bar of the GUI).

                  • 6. Re: VPN With Active Directory???

                    So after running tcpdumps and looking at them in Wireshark it appears it is the Firewall sending this domain name along with the user name and password (in clear text at that)  The domain name is passed looks like this:


                    <USERNAME>.SMBlib_dom.UNIX of some type.SMBlib


                    I have no idea why.  Surely that would be coming from the VPN client?  I am using ShrewSoft.


                    Here is the raw output.  Sensitive info removed indiacted by data in brackets <> red text is the reply from the DC




                    5....PC NETWORK PROGRAM 1.0..MICROSOFT NETWORKS 1.03..MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..LANMAN2.1..NT LM 0.12..NT LANMAN 1.0....u.SMBr.....................


                    5....2....A..............f..H.......0.......^.<DOMAIN NAME AND DC NAME BOTH CORRECT>........SMBs.....................



                    ..........................K<PASSWORD><USER NAME>.SMBlib_dom.UNIX of some type.SMBlib LM2.1 minus a bit....#.SMBs.....................




                    Message was edited by: grinder on 3/6/13 4:30:00 PM CST
                    • 7. Re: VPN With Active Directory???

                      I wonder too if it matters, our Domain controllers operate at the Server 2008R2 functional level???

                      • 8. Re: VPN With Active Directory???

                        So I seemed to have found the solution although I am not sure why.  I orginally had an Authenticator setup as type Windows Domain.  I could tell from the tcpdump that it was contacting the correct domain controllers but for whatever reason the domain name was not right.  So I deleted that Authenticator and built a new one of type Active Directory and gave it the IP's of the domain controllers.  That seems to work fine.  I am not sure why one does and one doesn't