topic Re: Do not view LDAP groups in SASE and Remote Access

Do not view LDAP groups

Rodrigo_Mezetti — Mon, 15 Feb 2021 18:48:13 GMT

Hey guys

I need to limit user authentication on vpn using endpoit security and even located in the community "remote access" and there is "all users" but there is no ldap groups for me to do this configuration, only the local group that I created and the local user appears .
In the environment I have several rules that are related to users in the ad, and I came across this situation.

Has anyone ever experienced this ?

Re: Do not view LDAP groups

the_rock — Mon, 15 Feb 2021 21:40:44 GMT

For something like that, use accessroles, not remote access groups.

Andy

Re: Do not view LDAP groups

PhoneBoy — Tue, 16 Feb 2021 00:03:18 GMT

That doesn’t prevent you from authenticating to the VPN but it can be used to prevent you from going anywhere if you do connect.
Preventing you from authenticating at all using anything other than a locally defined group of locally defined users is an RFE, I believe.

Re: Do not view LDAP groups

Rodrigo_Mezetti — Tue, 16 Feb 2021 20:27:52 GMT

I made the configuration creating and users / ldap group, indicating the path of the group in the active directory that has the users inside and it worked. Now only those who are in this group are authenticated.

Tanks

Re: Do not view LDAP groups

Karan0587 — Tue, 01 Jun 2021 23:31:31 GMT

Hey Mate,

I am trying to do the same, could you please share the config of AD and access policy as well.

Regards

Karan Sharma

Re: Do not view LDAP groups

Rodrigo_Mezetti — Wed, 02 Jun 2021 00:49:47 GMT

hi man.. sorry my english..

I created an ldap group, on the right of the smartconsole in user - ldap group. I informed the full path of the OU that has the users who will be able to "authenticate in vpn"
example:
dn-prefix set box
CN=AUTH_VPN - ,OU=Client_vpn,OU=Group,OU=test,DC=testlocal,DC=com,DC=br which is the path you can take in active director via adsi editor

After that I created the rules on the blade firewall/app access rules with the access that each user can have after authenticating, and set vpn ( remote access).
Some accessing remote desktop, others ssh , all under different rules and stating .
Remember to inform the group in the VPN domain of the internal servers in the gateway or cluster properties,

Re: Do not view LDAP groups

Karan0587 — Wed, 02 Jun 2021 08:08:22 GMT

Hi Rodrigo,

Thanks for your reply so authentication is fixed following your method although i am still confused as how to restrict the ports on the basis of some security groups only for eg i am attaching a rule which has access roles in source of security group with RDP access only and allowing 3389 tcp port.Is this the way or i have to create an inline layer underneath the actual remote access policy, can u share ur config ( blur the org details).