Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Groups

Jump to solution

Hello everyone,

we are using AD users for remote access VPN. We have defined some Access Roles for serveral AD Groups, but,  we have observed every AD user can log in via VPN client (end point sercurity), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to  some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles or for some specific AD Groups.

How could we do this configuration?

Thanks for your help.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Gold

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

12 Replies
Highlighted
Gold
Fzahinos,

on the RemoteAccess community you can restrict the access to VPN via local or LDAP user group. Remove the normally shown „all users“ and add your own ldap group. Every user not being member of this group will be not allowed to connect.

Wolfgang
Highlighted
Iron

Thanks Wolfgang.

I have a doubt about this solution. In case an user is included in two LDAP or Users Local Groups, shoud I define the two LDAP  Groups as Participant User Groups?

BR,

Fzahinos.

0 Kudos
Highlighted
Gold
Fzahinos,
if the user is in more then one Group, one Group is enough to allow the remote Access.
We are using normal rules with access_roles as source for allowing the specific access to Destination and services inside the Network.
With the group on the remote access community we're allowing the generally access to VPN. For this we created a new group in ActiveDirectory and reference them there. Now we can regulate which users can generally connect via remote access, regardless the access_roles.
Wolfgang
Highlighted

Hello

but in case you use access role on rules than you need to create ldap group to filter on the remote access community, bit annoying

Fabio

0 Kudos
Highlighted
Gold

@Fabio_Curcio 

yes you are right, it's little bit confusing.

But you can add only local or ldap groups to the remote access community, it would be better with a normal access role but that's how it works. Maybe one day Check Point will allow access roles with all configurations, but at the moment some things can be done only with ldap-groups

We added there only one ldap-group named "remote_access_allow_general". This is configured in two minutes and then you can forget about ldap-groups 😉

Wolfgang

Highlighted

what do you mean exaclty with "remote_access_allow_general"? anyway if you have different access role group you will need the matching one the remote access community, if not any user anyway will log in (even after without have access to resources)

0 Kudos
Highlighted
He means the LDAP group is specified only on first implementation and every VPN user is added to this group through AD.
Later on this group doesn't need to be changed configuration-wise in Check Point and only access roles need to be configured/modified to allow specific access on rules.
0 Kudos
Highlighted
Gold

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

Highlighted

Ok got it what you mean!

 

Thank you
Fabio

0 Kudos
Highlighted
Hi,
Does this works with nested groups?
Thanks
0 Kudos
Highlighted
Gold

Not sure, you have to try.

Following Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly

it's not supported. But I think this article is meaning the access rules itself and not the group for the remote access community.

Wolfgang

Highlighted

Hi,

 

I'm unable to either add custom ldap group or delete the default All Users group user Participant Users Group.  Am i missing something?

 

Thanks

Raj

0 Kudos