[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 121
  • Last Modified:

Sonicwall SSO

I have wireless users authenticating to our Sonicpoints with their AD credentials through a RADIUS server with no problems.

I have the Sonicwall SSO agent installed and connecting the Sonicwall and our DC.
 
I have our Sonicwall sending logs to a SysLog server with no problems.

However I cannot see any authenticated users traffic appearing in the syslogs?

Any help would be greatly appreciated.
0
matedwards
Asked:
matedwards
  • 6
  • 5
1 Solution
 
J SpoorTMECommented:
Is SSO enforced on the zone?
Are the users logging into the DC?
Is file & printsharing enabled and allowed in the windows firewall for at least eh SSO agent?



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 
matedwardsAuthor Commented:
Many thanks jspoor..

SSO is enforced on the wireless zone.

Users can log in with their AD credentials. The Sonicpoint is configured to pass the credentials to a RADIUS server that authenticates against a DC.

The firewall of the DC is turned off for now to get the SSO working.

When I 'check agent connectivity' it all works. When I 'check user' I only get the choice to choose 'netAPI'. Not 'From the Domain Controller' or 'Both'. (below) And get a [53] network path not found error.

Also, does this mean every client joined to the wireless zone has to have it's firewall turned off?




 netAPI.png
0
 
J SpoorTMECommented:
if users log in via radius, their ip is not in the dc security logs, so you need the agent to do netapi to the end station

use the check user test to see if the agent can query the end station
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
J SpoorTMECommented:
error 53 usually means win firewall is blocking netapi queries
0
 
matedwardsAuthor Commented:
Is there a way fo getting the user to authenticate straight to the DC (LDAP) not via a RADIUS server?

The Sonicpoint only shows how to configure WPA2-AUTO-EAP and RADIUS Server settings.
0
 
matedwardsAuthor Commented:
I can query and end station if it is Windows (not Mac , Linux, or Chrome) and I turn off its firewall.
0
 
J SpoorTMECommented:
you can have them login to the firewall webui,
if you in the LDAP config, set the default group to trusted users,
then create a WLAN to WAN firewall rule for service HTTP with users trusted users, when not authenticated they will get a login page.
0
 
matedwardsAuthor Commented:
Will try first thing tomorrow.. Thanks for again for all your advice..
0
 
matedwardsAuthor Commented:
A little confused as to what actually authenticates the user?

The LDAP + Local users authentication works in the Sonicwall.

But the sonicpoints themselves only have configuration for RADIUS not LDAP. (below)

radius.JPG
0
 
J SpoorTMECommented:
The screenshot is to authenticate the client via 802.1x to the Access Point, not to the firewall (at this moment in time).

the SSO process or login to the webui will authenticate the user to the Firewall.
0
 
matedwardsAuthor Commented:
The users are presented with a login webpage  for authentication. And their names appear in the logs once they login.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now