Thread Rating:
  • 17 Vote(s) - 3.18 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DrayTek Router with LDAP (Active Directory) for Dial-in Users
#1
Setting up a DrayTek Router with LDAP (Active Directory) for Dial-in Users.

1) Enable Remote Access VPN Service - for this example we are going to use L2TP as the VPN Service.
Under VPN and Remote Access, Remote Access Control tick to Enable L2TP VPN Service and click OK and reboot the Router.

   

2) Configure PPP General Setup
Under VPN and Remote Access, PPP General Setup set Dial-In PPP Authentication to PAP Only (this is a requirement for LDAP as explained in the note of the this screenshot).
Enable AD/LDAP, LDAP and adjust the DHCP scope if required for Remote Users.

   

3) Create a VPN IKE/IPsec Pre-Shared Key
Under VPN and Remote Access, IPsec General Setup enter your desired Pre-Shared Key that Users will use when setting up their VPN Connection on their Computers.

   

4) Setup Active Directory/LDAP for Users to authenticate with.
Under Applications, Active Directory/LDAP first configure the General Setup as follows:
Click to Enable and set the Bind Type to Regular Mode and enter the IP Address (Server Address) of your Active Directory Server - leave the default LDAP Port at 389.

   

The remaining steps are where many mistakes are often made.

The Regular DN and Regular Password is used to authenticate with your Active Directory Server and thus a Domain Administrator Account must be used (either existing or created specifically for this purpose).

For the correct Regular DN for your setup, open Active Directory Users and Computers.
In this example, we have color-coded things to make it easier.

   

For the above example, the correct Regular DN should look like this:

cn=administrator,cn=Users,dc=mydomain,dc=local

Note that we have used the account Administrator for this purpose and thus the Password for the Administrator Account will be the Regular Password.

If you are using SBS Server, your Regular DN would look something like this:

cn=My Admin,ou=SBSUsers,ou=Users,ou=MyBusiness,dc=mydomain,dc=local
Note that the CN name "My Admin" is the "displayed" name and not the actual account name.


5) Setup Active Directory/LDAP Profile
The Active Directory/LDAP Profile will connect your selected OU (Folder) containing your User Accounts for Remote Access.
Under Applications, Active Directory/LDAP select the Active Directory/LDAP Profiles tab.
Click to open the properties of the first available Index (in this case 1).

   

Enter a preferred Name for this Profile (IE: LDAP as per this example) and under Common Name Identifier enter cn.
Next click on the search icon (circled) - if all is good at this point you will see a pop-up window of Active Directory items.

Click on the Container or Organizational Unit where your Users are located (IE: in this example it will be CN=Users) and the field AD/LDAP Distinguished Name will automatically be filled for you - click OK. You should now see the correct Base Distinguished Name filled in.

   

The Group Distinguished Name is used for optional filtering as described here by DrayTek:
Group Distinguished Name is used while administrator wants to do an additional filtering. While both Base DN and Group DN are configured, the user account must be available in both path, otherwise, it cannot pass the authentication.

Your completed Profile will now look like this:

   

Client Computer Setup:

1) Add the following 2 registry entries to the computer if running Windows 7 or Windows 10

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DWORD Key: AllowL2TPWeakCrypto
Value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
DWORD Key: AssumeUDPEncapsulationContextOnSendRule
Value: 2

2) Setup the VPN connection parameters as follows:

   


Forum Jump:


Users browsing this thread: 1 Guest(s)