- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: RAS authentication continues to work after Act...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RAS authentication continues to work after Active Directory account is disabled.
Hi,
I’ve been working on setting up Machine and Personal certificates authentication for Remote Access VPN users for our customer and both are working fine.
As part of the testing however, the customer disabled the test Active Directory(AD) user account, but the user was still able to authenticate the VPN for more than an hour after the account was disabled. I found that if I installed the Security Policy as part of disabling/enabling an AD user account the changes were immediate, but the customer understandably thinks that disabling an AD account should be sufficient to immediately revoke a user’s access.
I’m not concerned with any sessions that might already be active as these can be disconnected. I’m only interested in preventing new Remote Access connections immediately after the AD account has been disabled.
Does anyone know how to change this behaviour so that after an AD account has been disabled, it cannot be used to authenticate the Remote Access VPN?
For info the this is a distributed install running R81.10 Take 66 and EndPoint Security VPN E86.60.
Ref: Remote Access Clients for Windows 24/10/2022 Page 61.
Regards,
Glen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most probably, this is related to the re-authentication timeouts and password caching. Please look into the RAS Admin Guide, "Remote Access Advanced Configuration" chapter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I misread your post. You are using a personal certificate, which is only checked vs AD after the CRL cache expires. The default time for the CRL cache is 60 min, which is consistent with your symptoms. Policy push is flashing the CRL cache. All described is an expected behavior related to the authentication scheme in use.
There are a few alternatives:
1. Using AD username/password authentication
2. Reducing CRL cache timeout.
3. Pushing the policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Val,
I know from testing that when an AD account is disabled the Personal Certificate in the AD Certificate Authority is still valid and not revoked. I'm unsure from the AD/CA perspective how a seemingly (Valid) Personal Certificate is then added to the CRL list which in turn is then updated and cached on the gateway.
I’ve checked and the CRL in our customers environment is configured to fetch a new CRL after 24 hours. I'll try reducing the CRL cache to 30 minutes to see if the behaviour changes.
Thanks for the info.
Glen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Uh right, it could be 24 hours. As I said before, if your customer is expecting the users to be cut immediately after account suspension, a personal certificate is not a good option.