topic Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro in SASE and Remote Access

How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Groups

Fzahinos — Wed, 01 Apr 2020 16:34:45 GMT

Hello everyone,

we are using AD users for remote access VPN. We have defined some Access Roles for serveral AD Groups, but, we have observed every AD user can log in via VPN client (end point sercurity), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN just for those users belonging to the Access Roles or for some specific AD Groups.

How could we do this configuration?

Thanks for your help.

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Wolfgang — Wed, 01 Apr 2020 19:20:34 GMT

Fzahinos,

on the RemoteAccess community you can restrict the access to VPN via local or LDAP user group. Remove the normally shown „all users“ and add your own ldap group. Every user not being member of this group will be not allowed to connect.

Wolfgang

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Fzahinos — Thu, 02 Apr 2020 07:15:21 GMT

Thanks Wolfgang.

I have a doubt about this solution. In case an user is included in two LDAP or Users Local Groups, shoud I define the two LDAP Groups as Participant User Groups?

BR,

Fzahinos.

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Wolfgang — Thu, 02 Apr 2020 08:54:33 GMT

Fzahinos,
if the user is in more then one Group, one Group is enough to allow the remote Access.
We are using normal rules with access_roles as source for allowing the specific access to Destination and services inside the Network.
With the group on the remote access community we're allowing the generally access to VPN. For this we created a new group in ActiveDirectory and reference them there. Now we can regulate which users can generally connect via remote access, regardless the access_roles.
Wolfgang

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Bac26 — Thu, 02 Apr 2020 09:54:46 GMT

Hello

but in case you use access role on rules than you need to create ldap group to filter on the remote access community, bit annoying

Fabio

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Wolfgang — Thu, 02 Apr 2020 11:48:46 GMT

@Bac26

yes you are right, it's little bit confusing.

But you can add only local or ldap groups to the remote access community, it would be better with a normal access role but that's how it works. Maybe one day Check Point will allow access roles with all configurations, but at the moment some things can be done only with ldap-groups

We added there only one ldap-group named "remote_access_allow_general". This is configured in two minutes and then you can forget about ldap-groups 😉

Wolfgang

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Bac26 — Thu, 02 Apr 2020 11:59:07 GMT

what do you mean exaclty with "remote_access_allow_general"? anyway if you have different access role group you will need the matching one the remote access community, if not any user anyway will log in (even after without have access to resources)

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Norbert_Bohusch — Thu, 02 Apr 2020 12:10:52 GMT

He means the LDAP group is specified only on first implementation and every VPN user is added to this group through AD.
Later on this group doesn't need to be changed configuration-wise in Check Point and only access roles need to be configured/modified to allow specific access on rules.

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Wolfgang — Thu, 02 Apr 2020 12:25:05 GMT

@Norbert_Bohusch

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Bac26 — Thu, 02 Apr 2020 12:44:47 GMT

Ok got it what you mean!

Thank you
Fabio

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Rui_Gomes_PT — Tue, 07 Apr 2020 09:27:46 GMT

Hi,
Does this works with nested groups?
Thanks

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Wolfgang — Tue, 07 Apr 2020 11:34:19 GMT

Not sure, you have to try.

Following Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly

it's not supported. But I think this article is meaning the access rules itself and not the group for the remote access community.

Wolfgang

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Rajnesh_Chand — Sat, 11 Apr 2020 14:51:59 GMT

Hi,

I'm unable to either add custom ldap group or delete the default All Users group user Participant Users Group. Am i missing something?

Thanks

Raj

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

PointOfChecking — Fri, 19 Mar 2021 11:07:19 GMT

me too

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

PointOfChecking — Fri, 19 Mar 2021 15:59:03 GMT

You also need to create a new LDAP Group in the objects. Not a User Access Group.

Re: How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Gro

Ilya_Yusupov — Wed, 24 Mar 2021 14:19:43 GMT

Hi,

just updating the thread that the issue raised by @PointOfChecking , solved.

In order for VPN to work as an identity source you must enable "Remote Access" checkbox under Identity Awareness properties.

it is also documented in Identity Awareness Admin Guide.

Thanks,

Ilya