Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
biskit
Advisor

Access Role not working?

Jump to solution

I suspect I'm missing something obvious, so I'm after some help please.

I've set up remote access using Azure AD auth (Identity Provider) - both for Mobile Access (with SNX) and client VPN.  Both authenticate fine and I get an Office Mode IP.  Great.

I've configured an Access Role where I've specified certain users from Azure AD.  When I click "add" it browses Azure AD with no problem, and I select the users I want.

The Access Role is in a rule allowing access to the LAN.

But it doesn't work.  It's as if nothing is being picked up on that Access Role rule.  Traffic is dropped on the cleanup.

If I add a rule lower down to allow the Office Mode net to get to the LAN, then my traffic works on that rule.

I can't work out why my traffic isn't allowed on the Access Role rule which has my Azure name in it?   Obviously I don't want to leave the Office Mode rule in otherwise I have no way of creating rules based on the person.  I presumed Access Roles should do this but they are being completely ignored 😞

I've tried with and without Remote Access in the VPN column, and also tried with Captive Portal in the Accept column.  No difference...

Does anyone have any ideas please?! 

0 Kudos
1 Solution

Accepted Solutions
biskit
Advisor

With some help from TAC I got it working.  The current instructions from CP don't quite give the full story, so I've attached some notes to supplement and clarify some steps.  The golden rule is - don't miss any steps in SK172909, and don't miss any steps in my attached supplementary notes which fill in some critical gaps in SK172909.

If anyone finds a different/simpler way to achieve this I'd love to know 🙂

View solution in original post

10 Replies
the_rock
Champion
Champion

Hey Matt,

Interesting issue for sure...I have experience with access roles, as I constantly work with customer who uses identity awareness. Here is some basics I would check...so, when it does not work, say if username is (for argument's sake) john123. If you ran command on the firewall pdp monitor user john123...do you see anything at all? If not, what happens is you run pdp update all and try after 30 seconds or so? 

In case you still dont see anything, are there any logs at all on that rule since you created it?

What do you see if you run adlog a dc command?

I have some time Thursday, happy to do remote session and see if we can fix this for you.

 

0 Kudos
biskit
Advisor

I've done some more testing following installation of T38 and I've noticed the following behaviour.

When my access role is set to Users > All Identified Users, then my client traffic to the LAN works via the correct Access Role rule number, and I see the following on the gateway:

[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk
Session: 8874a8a4
Session UUID: {A496290D-51C6-D19F-FA8A-CCA85A19F050}
Ip: 192.168.51.4
Users:  
 Matt.Dunn@xxxxxxxx.co.uk {ecc188a5}
  LogUsername: Matt.Dunn@xxxxxxxxx.co.uk
  Groups: All Users
  Roles: Azure_AD_VPN_Client_Users
  Client Type: Remote Access
  Authentication Method: Trust
  Distinguished Name: 
  Connect Time: Thu Mar 24 09:35:31 2022
  Next Reauthentication: Thu Mar 24 17:36:01 2022
  Next Connectivity Check: -
  Next Ldap Fetch: -
Packet Tagging Status: Not Active
Published Gateways: Local
*****************************************************************

 

But, if I set my access role to Users > Specific Users then it does not work, and I get the following on the gateway:

[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk
Session: 63d74b8b
Session UUID: {7B3C4106-7A78-07D5-13FA-4E5EFC0322F5}
Ip: 192.168.51.4
Users:  
 Matt.Dunn@xxxxxxxx.co.uk {04a3d0c5}
  LogUsername: Matt.Dunn@xxxxxxxx.co.uk
  Groups: All Users
  Roles: -
  Client Type: Remote Access
  Authentication Method: Trust
  Distinguished Name: 
  Connect Time: Thu Mar 24 10:04:36 2022
  Next Reauthentication: Thu Mar 24 18:05:06 2022
  Next Connectivity Check: -
  Next Ldap Fetch: -
Packet Tagging Status: Not Active
Published Gateways: Local
*****************************************************************

 

Notice when I specify users, and I log in as one of the specified users, the gateway no longer detects me as belonging to that access role.  The "Roles:-" line is empty.

When I change back again to All Identified Users then it works again, the "Roles:-" line is populated again, and pdp monitor shows me in that access role.

So now the issue is - why doesn't it work when I specify usernames in the Access Role?

0 Kudos
the_rock
Champion
Champion

I really wish I could give you logical answer, but I dont know at this point. I would do IA debugs and see if we can pin point a reason. I will find the debugs TAC sent me once and send them to you here.

Andy

biskit
Advisor

Thanks Andy.  I take a bit of comfort in the knowledge I'm not doing anything completely obviously wrong at this stage?!

0 Kudos
the_rock
Champion
Champion

Do you have time for remote session? I think we spoke once before during COVID, you are in UK if I recall? If so, if you are free at say 2 pm your time, just message me privately and we can do remote...I have some ideas.

Andy

0 Kudos
RS_Daniel
Advisor

Hi,

On the gateway object, identity awareness tab, is "Remote Access" option checked on the list of Identity Sources? after the vpn client connects to the gateway, check if the firewall has any identity related to that IP "pdp monitor ip X.X.X.X" or "pep show user all | grep X.X.X.X"

Regards

the_rock
Champion
Champion

Forgot that part about remote access, good point.

0 Kudos
biskit
Advisor

With some help from TAC I got it working.  The current instructions from CP don't quite give the full story, so I've attached some notes to supplement and clarify some steps.  The golden rule is - don't miss any steps in SK172909, and don't miss any steps in my attached supplementary notes which fill in some critical gaps in SK172909.

If anyone finds a different/simpler way to achieve this I'd love to know 🙂

the_rock
Champion
Champion

Amazing job Matt, thanks for that!

Andy

0 Kudos
AK2
Contributor

Thanks - I needed to follow your AAD instructions to get matches on my AAD Identity Awareness policies. Much appreciated 🙂

0 Kudos