|
In this article, custom AD attribute employeeID will be used for SSL VPN authentication instead of username for demonstration.
Step 1 : Configure LDAP server
- Go to User & Authentication -> LDAP servers -> Create new.
- In Common Name Identifier field, mention the custom AD attribute to use for SSL VPN authentication instead of username.
- Test connectivity of server as well as for user credentials.
- Select OK.
- Configure the member-attr to define the member attribute field to check for.
CLI:
config user ldap
edit "Test"
set server "xxxxxx"
set cnid "employeeID"
set dn "DC=Aquarium,DC=com"
set type regular
set username "Aquarium\\Administrator"
set password ENC MTAwNBeeL9lePwe301w6vmLVCM
set member-attr "employeeID" <-------- Mention the custom AD attribute
next
end
Step 2: Configure the User Group.
- Go to User & Authentication -> User Groups -> Create new.
- Remote Groups -> Add the LDAP server configured -> Select the groups.
- In order to use the employeeID as username, it is necessary to modify the group-name. This configuration is done from CLI.
CLI:
config user group
edit "AD_Users"
set member "Aquarium"
config match
edit 1
set server-name "Aquarium"
set group-name "123456789" <-------- Mention the custom AD attribute value for that User.
next
end
On the AD For user Test the employee ID set is '123456789'.
Step 3: Configure Firewall Policy.
CLI:
config firewall policy
edit 5
set name "SSLVPN"
set uuid 45ed780a-f5d1-51ef-99f6-e564fc1de4da
set srcintf "ssl.root"
set dstintf "SSLVPN endpoint"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "SSLVPN endpoint address"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "AD_Users" <-------- Mention the user group created.
next
end
Testing the connection for SSL using custom AD attribute, eg: employeeID instead of username
To check the SSL user connection, view SSL Monitor:
|
