topic Re: DynamicID implemented per Active Directory Group Membership in SASE and Remote Access

DynamicID implemented per Active Directory Group Membership

Crashesalot — Tue, 02 Jun 2020 20:21:32 GMT

Hello

For mobile access, I am trying to implement a solution in which members of a particular AD group is required the DynamicID OTP challenge and the rest of the users in the domain do not have this requirement.

I have seen similar discussions to what it is I am trying to do, but nothing that seems to be exactly that.

1) If you are a member of the "OTP AD Group" then you get the OTP challenge.

2) All other users pass thru with only username/password challenge.

Can anyone point me to a discussion where this has been clearly implemented or an SK?

Re: DynamicID implemented per Active Directory Group Membership

Darren_Fine — Thu, 04 Jun 2020 10:58:48 GMT

Hi there,

I also have a client who is interested in this type of solution.

Basically the use case is the client wants to force a particular type of Auth to a particular AD group....

(Is this not something that would have to be done on the remote access client rather than the firewall - since the firewall doesnt know which group the client is in until they auth - sort of a "what comes first - the chicken or the egg " type thing....)

Anyone got any ideas?

Re: DynamicID implemented per Active Directory Group Membership

MartinTzvetanov — Fri, 05 Jun 2020 11:59:28 GMT

If you configure something in GW for authentication, it is valid for everyone. You can't configure a group1 to use pass+dynamicid and group2 to use cert+pass based on AD groups.

You select what type of auth to use (when you use SSL portal) or during the installation of a VPN client before even enter your username.

I think of something raw solution.

Let's say you configure 2 ways for authentication in CP GW settings:

1) username+pass+dynamicid

2)username+pass+cert

You can switch between them in the VPN client GUI or in the SSL Mobile portal.

If you find a way to install and configure the laptops for group1 to use pass+dynamicid, for group2 - pass+cert and lock this configuration in the VPN client GUI you will achieve what you're looking for. Of course this is a hard work if you have more of laptops.

Another really raw solution - if you have 2 separate GWs for VPN, on gw1 configure user+pass+dynamicid, on gw2 configure username+pass+cert. Group1 initiate VPN to gw1 and group2 to gw2.

Re: DynamicID implemented per Active Directory Group Membership

Darren_Fine — Fri, 05 Jun 2020 15:22:34 GMT

Hi Martin,

Thanks for your reply - yes I also thought of this and I managed to change the trac.config file and use the cpmsi_tool.exe to roll a customised msi that only had the single auth version in the drop down - this seemed to work great ...

The only issue is when it connects to the vpn it learns the other methods and repopulates the Auth settings with all the options 🙂

I have not figured out if one can stop that happening as yet 🙂

Thanks

Re: DynamicID implemented per Active Directory Group Membership

MartinTzvetanov — Mon, 08 Jun 2020 06:37:14 GMT

yeah, the problem is how to lock the configuration of the client not to be able to change them auth methods when they are learned 🙂

Re: DynamicID implemented per Active Directory Group Membership

Crashesalot — Mon, 08 Jun 2020 20:48:19 GMT

Thanks to everyone for your replies and suggestions. I'm curious what this section of the authentications section would be used for? My VPN clients are working with username/password. Newer clients are bi-passing the Dynamic OTP, and I know how to correct that in the settings, but I am really curious what this section is for.

Re: DynamicID implemented per Active Directory Group Membership

MartinTzvetanov — Tue, 09 Jun 2020 06:19:41 GMT

this is how it's configure on my site. When I open the mobile access portal in the browser I have a drop-down menu where I select which method to use.