Any plans for LDAP authentication?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
pisifisi
Posts: 1
Joined: Sun Nov 03, 2019 3:01 pm

Any plans for LDAP authentication?

Post by pisifisi » Sun Nov 03, 2019 3:04 pm

While Radius is nice, LDAP is really needed so logins and security group associates can be controlled by group membership.

Our AD has over 300,000 users in it. I need to grant access to about 200 users. Currently, that requires me to maintain a user entry for every user in SoftEtherVPN. If I add a '*' user I've granted access to way too many users. Not exactly user account maintenance friendly.

Are there any plans for this in the future?

-Chip

fenice
Posts: 153
Joined: Sun Jul 19, 2015 4:23 pm

Re: Any plans for LDAP authentication?

Post by fenice » Sun Nov 03, 2019 4:45 pm

You could take a look at github and see if any RFEs have been filed for this, if there isn't already a request for LDAP authentication then file an RFE for it and reasons/explanation of why it's important.
Regards


Bill

ethanolson
Posts: 11
Joined: Mon Dec 02, 2019 6:29 am

Re: Any plans for LDAP authentication?

Post by ethanolson » Fri Dec 06, 2019 8:23 am

LDAP authentication may not come for a long time, if ever. You can pull it off where it filters on group through Network Policy Server, which you can spin up easily in your environment (on a server within the AD domain) and just have SE talk to it with the RADIUS protocol. That's how I've got my SE VPN setup and that's how I've got my WiFi setup (WPA2-Enterprise). It only allows members of certain groups... and it only costs you a little time to setup (minutes) since you're already using Microsoft servers and they have NPS as a role that can be enabled. Just don't run NPS on the SE server because their listeners will conflict. I run NPS on my domain controller.

In NPS...
1. create a RADIUS Client, let's call it SoftEther-VPN1
-enter the SE VPN server's IP address
-create or generate a shared secret (capture it so you can enter it in SE)
-ensure it's using RADIUS Standard as the vendor name on the Advanced tab
2. create a Connection Request Policy, maybe call it SoftEther VPN Connection
-on the Overview tab, ensure the policy is enabled and the type of network access server is Unspecified
-on the Conditions tab, add a Client Friendly Name and enter the RADIUS Client name exactly, which in this example is SoftEther-VPN1
-on the Settings tab, only ensure that Authentication is set to authenticate on this server. Leave everything else alone.
-now that it's created, sort the list of policies so the rule comes before the deny rules
3. create a Network Policy, maybe call it SoftEther VPN Network Policy
-on the Overview tab, ensure the policy is enabled, Grant Access = selected, Ignore user account dial-in properties = checked, type of network access server is Unspecified
-on the Conditions tab, add NAS Identifier and enter SoftEther VPN Server
-still on the Conditions tab, add User Groups and select the group(s) in AD you want to be able to connect through the VPN
-on the Constraints tab, under Authentication Methods, check the box for MS-CHAP-v2 and PAP. You may want to setup PEAP/EAP-MSCHAPv2 depending on how your SE server is configured.
-on the Constraints tab, under NAS Port Type, check the box for Virtual (VPN)
-on the Settings tab, under Standard, ensure Framed-Protocol = PPP and Service-Type = Framed. If neither are present, add them.
-on the Settings tab, under Encryption, I suggest you check the box for Strongest, which forces a requirement for 128-bit or higher encryption.
-now that it's created, sort the list of policies so the rule comes before the deny rules

In SE
4. configure RADIUS within your Virtual Hub
-ensure you have a user where the username is an asterisk (yes, the username is *) and they're set to use RADIUS authentication
-under the hub's Authentication Server Settings, enter the RADIUS connection info (IPv4, port 1812, shared secret from step 1 above)

Post Reply