The context for this is that I am not a systems administrator but I'm doing my best, so please be patient with me. š
The end goal is that we would like users to be able to VPN in and access network resources, through our Sonicwall TZ 200 device, using their Active Directory credentials.
Some notes:
- Currently, our Sonicwall device is running the latest version of the SonicwallOS firmware.
- The Sonicwall VPN was set up to use Local Users + RADIUS and was working fine. The local users have been set up as "userABC" with a shared key and are able to connect using the basic Windows or Mac vpn clients and then access resources behind the firewall.
- The Active Directory box is set up with internal domain "internal.specialsuperdomain.com" and we can add users and boxes to the domain from inside the firewall. No problems there.
- We just set up the SonicWall LDAP settings to integrate with our internal Active Directory controller. I can authenticate the user "userABC@internal.specialsuperdomain.com" on the LDAP integration test page.
- Every time I make changes to the LDAP integration on the Sonicwall, I get a warning from the Sonicwall device that the L2TP server is setup using CHAP, which is not supported by Active Directory. I think this is where my problem is. When I change the user settings to "LDAP + Local Users" and the user tries to VPN in using their Active Directory credentials, they receive the a failure to authenticate error (tested on a Mac) and the SonicWall logs a dropped packet due to "IP Spoof Detected" error from that user.
I've thought maybe I needed to do something with LDAP + Radius to bridge the gap between the VPN and the Active Directory, but I'm not sure. I'm going through all of the Sonicwall documentation I can find but I'm not seeing anything so far that helps. Any tips or ideas? How should I set this up?
UPDATE: Our domain is set up at "Windows Server 2008" functional level. We were not able to authenticate from the Sonicwall using the pre-windows-2000 format "domain\username", I presume because the domain is not set to Windows Server 2003 functional level. We are able to authenticate from the Sonicwall using the updated full usernames ("user@domain.com") and so we have been trying to authenticate to the vpn the same way.
Best Answer
You might consider running RRAS + PPTP on your Win2k8 DC and just forwarding the necessary ports through. It's much, much easier to do access control from within AD that way. That's how my company set it up and it works very well. YMMV.