SoftEtherVPN: AD Support... Possible ?!?

[boubou]

Hi,
Is it possible to link SoftEtherVPN with my AD ?

I would like that only the users in the groups "VPN SSTP" in our AD can use SoftEther.
Is it possible to get it work ?

Thanks you very much in advance.

[PaulC]

Hi,
Not really straight from the client. I do something similar though.

I have 3 AD VPN Groups. Each has a number of users in it. I have 3 corresponding VPN Hubs. There is no way to get softether to recognise an AD Group, so you have to create the users locally within the hub.

I create usernames on the VPN Hub that are the same as my AD usernames and I have them use RADIUS as the authentication method. In this case, the RADIUS server is an AD Domain Controller (using Network Policy Server).

Then, in the network policy server configuration (NPS -> Policies -> Network Policies), I allow each of the Global Groups (1 policy per group) to be "granted access" when the members of those groups attempt to authenticate.

Anyone else trying is rejected.

So in your case, you'd create local users in your hub for all of the members of "VPN SSTP" in the VPN Hub in Softether. Then, you'd go onto a Domain Controller and access the Network Policy Server (from Admin tools). Navigate to NPS -> policies -> Network Policies.
Create a new policy to "allow access" and make sure the policy is ticked enabled.

In the conditions, select the "VPN SSTP" as the user group with the relevant authentication types and tunnel types, etc selected. Save the policy.

That should do the job.

Rgds

paul

[boubou]

WOW. Thats a GOOD answer!
Thanks you very much!

Have a very nice christmas times.

Sébastien

[boubou]

Paul, another litttle question, in:
http://www.softether.org/4-docs/1-manua ... entication

we can see:
"This information can be obtained from the RADIUS server administrator. The RADIUS server to be used must be set to enable use of Password Authentication Protocol (PAP)."

Did you try MSCHAPv2 Radius authentification with SoftEther ?

Did it works ? Some people told that it works but someothers else told it didn't. What is the true answer ?

Sincerely and thanks in advance.

Sébastien

[PaulC]

Hi,

I've been unable to get it to work without having PAP enabled :-(

I thought I had at one point with the previous version of Softether. If I remember correctly, it worked without PAP being enabled as long as during the authentication process, the user didn't authenticate with username@hubname in the VPN settings. However, I have just tried it and I was unable to authenticate when I just had username or username@hubname unless PAP was enabled.

See this post, too. I haven't re-tried with Windows 10 since I upgraded the Domain Controller to 2012R2 - http://www.vpnusers.com/viewtopic.php?f=7&t=5277

Rgds

Paul

[mbrcomp]

In case we're talking about a few users, you may use the "Windows NT/AD authentication". You create a user, specifically set it to the same username used in AD, select the "Windows NT/AD authentication" scheme, and direct it to the AD username so that it uses the AD password for authentication.

[boubou]

mbrcomp,

I joined my VPN Server to the AD easily:

realm list
cpu.qc.ca
type: kerberos
realm-name: domain.QC.CA
domain-name: cpu.qc.ca
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@domain.qc.ca
login-policy: allow-realm-logins

I created a user in the VPN Server, selectionned Windows NT Domain Authentification but when I try to connect to the VPN, it didn't work.
On the VPN Server, I can see the 'external server authentification' in the security_log but I didnt see any LDAP request on our LDAP Servers...
It looks very strange...
Ineed, I can ping the LDAP Servers.

Can you help me a bit more please ?

[thisjun]

NT Domain auth only work in Windows.

[boubou]

Thanks!
This response explain me why it didn't work.