Solved! Go to solution.
Group policies don't work for L2TP VPN just for Anyconnect.
The certificate is a requirement if you want to authenticate the users from LAN. Check it out:
The MX will run through the following steps to identify AD group members and apply associated group policies:
Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.
Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
@Patrik73, there are some steps that you have to configure before. Take a look ate the documentation:
Thanks!
I guess I need that certificate, but the guide is a little to shallow. Al least for me.
Not sure how to create that self-signed certificate on my server. Server 2019.
Would really appreciate a guide. 🙂
Maybe it will help you: https://windowstechpro.com/how-to-install-certificate-services-ad-cs-in-server-2019/
Or is it enough to install IIS-role and create the certificate that way?
You need a certificate, either self-signed or a valid certificate.
I always use a self-signed certificate so I prefer to install AD CS, but each case is different.
Thank you!
I really appreciate your help.
Guess I will install the AD CS.
I do have a wildcard cert, but that is for my public domain name.
*.name.com
and not my internal domain name
*.name.local
I now have setup an CA-server and created a certificate.
Configured Active Directory authentication.
It looks like it can communicate.
I have also added the net in Subnet
And the Audit Policy.
And my certificate seems ok.
But still get errror 691 😞
Getting a little bit frustrated.
Your L2TP connect probably is misconfigured. Can you share the configuration on your machine?
It seems to work now.
I tried to login with my full login name but then I get Error 691.
When I change to just my username it worked.
But I'n not sure what the groups actually does.
I tried to set some restriction on the group that my testuser is member of, but that doesn't change anything.
Maybe I should go for Radius login instead to be able to restrict access to VPN through AD-group membership.
And then I can activate Azure MFA.
And I'm not sure why I need the certificate, I removed it and the VPN still works.
Guess all I needed to do was to add to the Client VPN settings.
Domain short name
IP to DC
Username
Password
I also removed the subnets from Sites and Services and it still works.
Group policies don't work for L2TP VPN just for Anyconnect.
The certificate is a requirement if you want to authenticate the users from LAN. Check it out:
The MX will run through the following steps to identify AD group members and apply associated group policies:
Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.
Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
Thank you very much for the help.