topic Re: Access Role not working? in Firewall and Security Management

Access Role not working?

biskit — Tue, 22 Mar 2022 18:09:37 GMT

I suspect I'm missing something obvious, so I'm after some help please.

I've set up remote access using Azure AD auth (Identity Provider) - both for Mobile Access (with SNX) and client VPN. Both authenticate fine and I get an Office Mode IP. Great.

I've configured an Access Role where I've specified certain users from Azure AD. When I click "add" it browses Azure AD with no problem, and I select the users I want.

The Access Role is in a rule allowing access to the LAN.

But it doesn't work. It's as if nothing is being picked up on that Access Role rule. Traffic is dropped on the cleanup.

If I add a rule lower down to allow the Office Mode net to get to the LAN, then my traffic works on that rule.

I can't work out why my traffic isn't allowed on the Access Role rule which has my Azure name in it? Obviously I don't want to leave the Office Mode rule in otherwise I have no way of creating rules based on the person. I presumed Access Roles should do this but they are being completely ignored 😞

I've tried with and without Remote Access in the VPN column, and also tried with Captive Portal in the Accept column. No difference...

Does anyone have any ideas please?!

Re: Access Role not working?

the_rock — Tue, 22 Mar 2022 23:46:38 GMT

Hey Matt,

Interesting issue for sure...I have experience with access roles, as I constantly work with customer who uses identity awareness. Here is some basics I would check...so, when it does not work, say if username is (for argument's sake) john123. If you ran command on the firewall pdp monitor user john123...do you see anything at all? If not, what happens is you run pdp update all and try after 30 seconds or so?

In case you still dont see anything, are there any logs at all on that rule since you created it?

What do you see if you run adlog a dc command?

I have some time Thursday, happy to do remote session and see if we can fix this for you.

Re: Access Role not working?

RS_Daniel — Wed, 23 Mar 2022 00:00:27 GMT

Hi,

On the gateway object, identity awareness tab, is "Remote Access" option checked on the list of Identity Sources? after the vpn client connects to the gateway, check if the firewall has any identity related to that IP "pdp monitor ip X.X.X.X" or "pep show user all | grep X.X.X.X"

Regards

Re: Access Role not working?

the_rock — Wed, 23 Mar 2022 00:23:18 GMT

Forgot that part about remote access, good point.

Re: Access Role not working?

biskit — Thu, 24 Mar 2022 10:35:36 GMT

I've done some more testing following installation of T38 and I've noticed the following behaviour.

When my access role is set to Users > All Identified Users, then my client traffic to the LAN works via the correct Access Role rule number, and I see the following on the gateway:

[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk Session: 8874a8a4 Session UUID: {A496290D-51C6-D19F-FA8A-CCA85A19F050} Ip: 192.168.51.4 Users: Matt.Dunn@xxxxxxxx.co.uk {ecc188a5} LogUsername: Matt.Dunn@xxxxxxxxx.co.uk Groups: All Users Roles: Azure_AD_VPN_Client_Users Client Type: Remote Access Authentication Method: Trust Distinguished Name: Connect Time: Thu Mar 24 09:35:31 2022 Next Reauthentication: Thu Mar 24 17:36:01 2022 Next Connectivity Check: - Next Ldap Fetch: - Packet Tagging Status: Not Active Published Gateways: Local *****************************************************************

But, if I set my access role to Users > Specific Users then it does not work, and I get the following on the gateway:

[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk Session: 63d74b8b Session UUID: {7B3C4106-7A78-07D5-13FA-4E5EFC0322F5} Ip: 192.168.51.4 Users: Matt.Dunn@xxxxxxxx.co.uk {04a3d0c5} LogUsername: Matt.Dunn@xxxxxxxx.co.uk Groups: All Users Roles: - Client Type: Remote Access Authentication Method: Trust Distinguished Name: Connect Time: Thu Mar 24 10:04:36 2022 Next Reauthentication: Thu Mar 24 18:05:06 2022 Next Connectivity Check: - Next Ldap Fetch: - Packet Tagging Status: Not Active Published Gateways: Local *****************************************************************

Notice when I specify users, and I log in as one of the specified users, the gateway no longer detects me as belonging to that access role. The "Roles:-" line is empty.

When I change back again to All Identified Users then it works again, the "Roles:-" line is populated again, and pdp monitor shows me in that access role.

So now the issue is - why doesn't it work when I specify usernames in the Access Role?

Re: Access Role not working?

the_rock — Thu, 24 Mar 2022 11:48:10 GMT

I really wish I could give you logical answer, but I dont know at this point. I would do IA debugs and see if we can pin point a reason. I will find the debugs TAC sent me once and send them to you here.

Andy

Re: Access Role not working?

biskit — Thu, 24 Mar 2022 12:05:56 GMT

Thanks Andy. I take a bit of comfort in the knowledge I'm not doing anything completely obviously wrong at this stage?!

Re: Access Role not working?

the_rock — Thu, 24 Mar 2022 12:27:00 GMT

Do you have time for remote session? I think we spoke once before during COVID, you are in UK if I recall? If so, if you are free at say 2 pm your time, just message me privately and we can do remote...I have some ideas.

Andy

Re: Access Role not working?

biskit — Fri, 08 Apr 2022 16:00:43 GMT

With some help from TAC I got it working. The current instructions from CP don't quite give the full story, so I've attached some notes to supplement and clarify some steps. The golden rule is - don't miss any steps in SK172909, and don't miss any steps in my attached supplementary notes which fill in some critical gaps in SK172909.

If anyone finds a different/simpler way to achieve this I'd love to know 🙂

Re: Access Role not working?

the_rock — Fri, 08 Apr 2022 17:24:11 GMT

Amazing job Matt, thanks for that!

Andy

Re: Access Role not working?

AK2 — Fri, 25 Nov 2022 22:42:11 GMT

Thanks - I needed to follow your AAD instructions to get matches on my AAD Identity Awareness policies. Much appreciated 🙂

Re: Access Role not working?

TRajkumar — Thu, 27 Feb 2025 12:21:01 GMT

Hello biskit

Detto i'm facing the same issue. But now i'm trying this on my trial Azure AD (Groups is not possible) and using users. Could you please help me with more details.

Re: Access Role not working?

TRajkumar — Tue, 11 Mar 2025 15:08:11 GMT

Hi Biskit

I also facing the same challenge, But in my case i'm using the cloudguard gateways (GCP). I tried the document you have shared but no luck for me. Cloud you please help me to resolve this.