Options
IKEv2 Mobile VPN Problems Authorization AD
Hello,
I configured Mobile VPN with IKEv2 on the Firebox M370. For authentification, in the first step we configured users of the Firebox-DB. After installing the batch file on a Windows 10 client, the connection was successful. I'm able to ping all Clients and Server (including domain controller), that I want to reach. But there is still a problem with the connection to the domain controller. I can't authentificate my AD user. If I want to access shares, outlook (exchange), printserver etc. I have to authenficate with username and password. Also I can't update user group policies with gpupdate.
After a new Windows login, everthing works fine.
We use DNS server of the domain controller at the IKEv2 VPN profile.
Does somebody have any idea?
1
Sign In to comment.
Answers
Yeah, unfortunately the IKEv2 VPN doesn't allow the use of AD for authentication unlike the SSL or IPSec VPN's do. Thus requiring you to re-authenticate with your AD credentials after the VPN connection if you wish to access any Domain resources. File shares, Exchange etc.....
Personally I've found the IKEv2 VPN is great for users utilizing their own home pc to access the network strictly for RDP connections onto their work PC.
No software to install.
It's usually something simple.
That's odd. I have never been asked to authenticate to AD after establishing IKEv2 VPN connection and I can access network resources just fine. The login to the AD domain happens before establishing VPN (I suppose by cached credential).
I'm only asked to authenticate when IKEv2 username is different than AD username, for example: JohnDoe (Firebox-DB username), JDoe (AD username). For that reason, I create the same username but different password on Firebox-DB.
The next step is to change the authentification via AD / NPS.
Exactly, currently the login to the AD happens before establishing VPN. Then I do a logout and login in Windows. After that I have access. But sometimes I can't login into Windows "the account addressed is currently blocked"(translation from Germany).
IKEv username and AD username are same (JDoe), passwords are different.
Watchguard Traffic Monitor allows the ports for the AD authentification.
Currently our user use the SSL client. It works fine. But we want to change because of the pre logon. So the users doesn't have any error message after Windows login.
Does anybody have an advice? Or should I continue with the AD registration first?
Forgive my resurrecting an old thread, but is there a definitive answer on this? If my Firebox-DB password and my Domain password match (my username is also the same), the IKEv2 Tunnel works flawlessly. But if the passwords are different, there are all sorts of authentication issues when trying to access domain resources.
if you use Firebox-DB credentials to connect to IKEv2 VPN and have problems connecting to AD resources,
check: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpLuSAI&lang=en_US
better solution would be that you change the IKEv2 to use radius (NPS) AD authentication:
https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZlhSAG&type=KBArticle
NPS radius server install and configuration:
https://www.screencast.com/t/YhZSg5LMZ3ow
Firebox radius and IKEv2 configuration:
https://www.screencast.com/t/1qJkEtot6zUw
If you want to configure Windows IKEv2 to use ”Automatically use my Windows logon name...”
You need to give the radius server name in the Firebox radius settings the same name as your on-prem AD domain name and it needs to be with capital letters!
In the video the on-prem AD domain name is domain1.com, so the radius server name in the Firebox needs to be DOMAIN1.
This is because the Windows IKEv2 client is sending the credentials in “DOMAIN\user” format.
If you don’t configure ”Automatically use my Windows logon name...” option, then the radius name can be whatever in the Firebox radius settings, uppercase or lowercase letters…
Windows 10 & 11 IKEv2 configuration with the IKEv2 *. bat file:
https://www.screencast.com/t/F8opfvqa1Q
@kimmo.pohjoisaho thank you very much indeed for that quick reply. I will read through those options.
I have been advised to manually set "UseRasCredentials=0" within "%appdata%\Microsoft\Network\Connections\Pbk\rasphone.pbk" for each user. I will reply again if this suggestion works. It is possible to do this using a script too.