This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Crashesalot
Ivory
‎2020-06-02 01:21 PM

DynamicID implemented per Active Directory Group Membership

Hello

 

For mobile access, I am trying to implement a solution in which members of a particular AD group is required the DynamicID OTP challenge and the rest of the users in the domain do not have this requirement.  

I have seen similar discussions to what it is I am trying to do, but nothing that seems to be exactly that.

1) If you are a member of the "OTP AD Group" then you get the OTP challenge.

2)  All other users pass thru with only username/password challenge.

Can anyone point me to a discussion where this has been clearly implemented or an SK?

6 Replies
Highlighted
Darren_Fine
Nickel
‎2020-06-04 03:58 AM

Hi there,

 

I also have a client who is interested in this type of solution.

 

Basically the use case is the client wants to force a particular type of Auth to a particular AD group....

 

(Is this not something that would have to be done on the remote access client rather than the firewall - since the firewall doesnt know which group the client is in until they auth - sort of a "what comes first - the chicken or the egg " type thing....)

 

Anyone got any ideas?

Highlighted
MartinTzvetanov
Nickel
‎2020-06-05 04:59 AM

If you configure something in GW for authentication, it is valid for everyone. You can't configure a group1 to use pass+dynamicid and group2 to use cert+pass based on AD groups.

You select what type of auth to use (when you use SSL portal) or during the installation of a VPN client before even enter your username.

 

I think of something raw solution.

Let's say you configure 2 ways for authentication in CP GW settings:

1) username+pass+dynamicid

2)username+pass+cert

You can switch between them in the VPN client GUI or in the SSL Mobile portal. 

If you find a way to install and configure the laptops for group1 to use pass+dynamicid, for group2 - pass+cert and lock this configuration in the VPN client GUI you will achieve what you're looking for. Of course this is a hard work if you have more of laptops.

Another really raw solution - if you have 2 separate GWs for VPN, on gw1 configure user+pass+dynamicid, on gw2 configure username+pass+cert. Group1 initiate VPN to gw1 and group2 to gw2.

 

 

Highlighted
Darren_Fine
Nickel
‎2020-06-05 08:22 AM

Hi Martin,

 

Thanks for your reply - yes I also thought of this and I managed to change the trac.config file and use the cpmsi_tool.exe to roll a customised msi that only had the single auth version in the drop down - this seemed to work great ...

 

The only issue is when it connects to the vpn it learns the other methods and repopulates the Auth settings with all the options 🙂

 

I have not figured out if one can stop that happening as yet 🙂

 

Thanks

0 Kudos
Highlighted
MartinTzvetanov
Nickel
‎2020-06-07 11:37 PM

yeah, the problem is how to lock the configuration of the client not to be able to change them auth methods when they are learned 🙂
0 Kudos
Crashesalot
Ivory
‎2020-06-08 01:48 PM

 

help.jpg

Thanks to everyone for your replies and suggestions.  I'm curious what this section of the authentications section would be used for?  My VPN clients are working with username/password.  Newer clients are bi-passing the Dynamic OTP, and I know how to correct that in the settings, but I am really curious what this section is for.

0 Kudos
Highlighted
MartinTzvetanov
Nickel
‎2020-06-08 11:19 PM

 
 

1Capture.JPG

this is how it's configure on my site. When I open the mobile access portal in the browser I have a drop-down menu where I select which method to use.

0 Kudos