SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.
The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.
I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.
Prereq
The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.
If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.
The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.
Now you can fire up the Internet Authentication Service or Network Policy Server.
RADIUS
The first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.
On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.
Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.
Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.
The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.
If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.
Phew. And now for Windows 2008.
NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.
Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.
The Wall
Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.
I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.
A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).
Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.
Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.
Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.
Click OK.
Test your VPN settings. Breathe normally.
Extra sugar
For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!
I wonder what we can authenticate next…