Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fzahinos
Participant

How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Groups

Jump to solution

Hello everyone,

we are using AD users for remote access VPN. We have defined some Access Roles for serveral AD Groups, but,  we have observed every AD user can log in via VPN client (end point sercurity), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to  some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles or for some specific AD Groups.

How could we do this configuration?

Thanks for your help.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Leader
Leader

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

15 Replies
Wolfgang
Leader
Leader
Fzahinos,

on the RemoteAccess community you can restrict the access to VPN via local or LDAP user group. Remove the normally shown „all users“ and add your own ldap group. Every user not being member of this group will be not allowed to connect.

Wolfgang
Fzahinos
Participant

Thanks Wolfgang.

I have a doubt about this solution. In case an user is included in two LDAP or Users Local Groups, shoud I define the two LDAP  Groups as Participant User Groups?

BR,

Fzahinos.

0 Kudos
Wolfgang
Leader
Leader
Fzahinos,
if the user is in more then one Group, one Group is enough to allow the remote Access.
We are using normal rules with access_roles as source for allowing the specific access to Destination and services inside the Network.
With the group on the remote access community we're allowing the generally access to VPN. For this we created a new group in ActiveDirectory and reference them there. Now we can regulate which users can generally connect via remote access, regardless the access_roles.
Wolfgang
Fabio_Curcio
Participant

Hello

but in case you use access role on rules than you need to create ldap group to filter on the remote access community, bit annoying

Fabio

0 Kudos
Wolfgang
Leader
Leader

@Fabio_Curcio 

yes you are right, it's little bit confusing.

But you can add only local or ldap groups to the remote access community, it would be better with a normal access role but that's how it works. Maybe one day Check Point will allow access roles with all configurations, but at the moment some things can be done only with ldap-groups

We added there only one ldap-group named "remote_access_allow_general". This is configured in two minutes and then you can forget about ldap-groups 😉

Wolfgang

Fabio_Curcio
Participant

what do you mean exaclty with "remote_access_allow_general"? anyway if you have different access role group you will need the matching one the remote access community, if not any user anyway will log in (even after without have access to resources)

0 Kudos
Norbert_Bohusch
Advisor
He means the LDAP group is specified only on first implementation and every VPN user is added to this group through AD.
Later on this group doesn't need to be changed configuration-wise in Check Point and only access roles need to be configured/modified to allow specific access on rules.
0 Kudos
Wolfgang
Leader
Leader

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

Fabio_Curcio
Participant

Ok got it what you mean!

 

Thank you
Fabio

0 Kudos
Rui_Gomes_PT
Contributor
Hi,
Does this works with nested groups?
Thanks
0 Kudos
Wolfgang
Leader
Leader

Not sure, you have to try.

Following Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly

it's not supported. But I think this article is meaning the access rules itself and not the group for the remote access community.

Wolfgang

Rajnesh_Chand
Explorer

Hi,

 

I'm unable to either add custom ldap group or delete the default All Users group user Participant Users Group.  Am i missing something?

 

Thanks

Raj

PointOfChecking
Contributor

me too

0 Kudos
PointOfChecking
Contributor

You also need to create a new LDAP Group in the objects.  Not a User Access Group.

 

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi,

 

just updating the thread that the issue raised by @PointOfChecking , solved.

In order for VPN to work as an identity source  you must enable "Remote Access" checkbox under Identity Awareness properties.

it is also documented in Identity Awareness Admin Guide.

 

Thanks,

Ilya 

0 Kudos