Using the SonicWALL SSL VPN with Windows domain accounts via RADIUS

In Firewalls, Security by Jesse Rink

Using the SonicWALL SSL VPN

Setting up the SonicWALL firewall for using SSL VPN is pretty simple, even when it comes to utilizing Windows Domain Accounts via RADIUS authentication.   The following article is a step by step guide how to configure the firewall and Windows Servers to accomplish this.

Configure Windows Server for RADIUS authentication

Step 1 – Install NPS

Add the Network Policy Server role on your Windows server if it’s not yet already installed.

SonicWALL SSL VPN

 Step 2 – Configure NPS

Add a RADIUS client to NPS using the LAN IP address of the SonicWALL firewall, and create an applicable Shared Secret password.

Sonicwall SSL VPN Radius client

 

Step 3 – Create VPN Global Group

In Active Directory, create a global group called “SSL-VPN Access” and add the applicable users to this group that will require remote VPN access.

Step 4 – Create New Network Policy in NPS

Create a new Network Policy and call the policy, “SonicWALL SSL VPN“.  Add the condition Windows Groups, and click ADD.   Specific the “SSL-VPN Access” global group you previously created in Active Directory.  Make sure the Access Granted radio button is selected for the Permission properties, and use the default selections for Authentication Methods, Configuration Constraints, and Configuration Settings, then select Finish in the Add Network Policy wizard.

Configure SonicWALL for RADIUS authentication

Step 1 – Change User Authentication mode

Go to Users -> Settings and change User Authentication method from “Local Users” to “RADIUS + Local Users” (this allows you to use either local user accounts created in the SonicWALL OR use Active Directory based user accounts during authentication. I suggest keeping a local user setup in the event the RADIUS server(s) go down unexpectedly.)

Sonicwall SSL VPN Setup user authentication settings

Step 2 – Configure RADIUS settings

Select the Configure RADIUS button and change the settings on each tab to the following:

Tab – Settings

Setup the Primary and Secondary (optional) RADIUS server and previously defined Shared Secret password.

SW-Figure 4

 

Tab – RADIUS Users

Make sure to change the Default User Group for all RADIUS users to belong to “SSLVPN Services”

SW-Figure 5

Tab – Test

Specify a user account that you added as a member to the previously created “SSL-VPN Access” global group, enter the applicable user password.  Change the radio button to MSCHAP or MSCHAPv2 and click Test.  You should receive a response of, “Radius Client Authentication Succeeded”.

Step 3 – Save Settings

Click Accept at the bottom of the page

Configure Local Group Access

Step 1 – Edit Group Properties

Go to Users -> Local Groups and edit the properties of the SSLVPN Services local group.  On the VPN Access tab, make sure you add your internal networks (address objects) that users would need to access, otherwise you won’t be able to access any internal networks even if you’ve successfully connected to the VPN.

SW-Figure 6

Configure SSL VPN settings

Step 1 – Configure Server Settings

Go to SSL VPN -> Server Settings and enable the WAN interface at port 443 (the round icon should turn green).  Please note — you will have to make sure the SonicWALL’s administration webpage is set to something other than 443 for this to work (configured under System -> Administration -> HTTPS Port).  I typically recommend changing the administration port to 444 or 4433 so 443 is available and can be used for SSL VPN functionality.

SW-Figure 7

Step 2 – RADIUS User Settings

On the same SSL VPN -> Server Settings page, Enable the “Use RADIUS in” checkbox and select the “MSCHAPv2 mode” radio button.

MSChapV2

Click on the Accept button to save the settings.

Step 3 – Configure Client Settings

(note particular these settings seem to change with every release of the SonicWALL OS unfortunately…)

Go to SSL VPN -> Client Settings and click on the configuration/edit button.  Mouse-over the Address for IPv4 column, and note the address range selected for SSL VPN IP Pool.   You MAY have to adjust this range accordingly to your network scheme (this is adjusted under Network ->  Address Objects).

Tab – Settings

Verify the Zone IP v4 and Network Address IV V4 information

Tab – Client Routes

Add all the applicable client routes that are necessary for VPN access.  In most cases, you would end up address the necessary Address Objects for all your internal networks. (These are the same networks (address objects) that you previously defined under the SSLVPN Service local group.

Tab – Client Settings (figure 8)

Verify the DNS Server 1 and DNS Server 2 are properly specified.  Take note of the setting “User Name and Password Caching” and adjust accordingly to your security policy!   Enabling “Create Client Connection Profile” will allow the SonicWALL NetExtender client to save the profile (recommended).

SW-Figure 8

That’s all you need in order to setup SonicWALL SSL VPN to use with a Windows RADIUS server and make use of Active Directory for the VPN login authentication!   Should take about 15 minutes or so to setup start to finish…

 

About the Author
Jesse Rink

Jesse Rink

Jesse is the owner of Source One Technology and has been providing IT services to schools, nonprofits and SMBs in Waukesha, Milwaukee and SE Wisconsin for over 18 years.