Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
constant69
Explorer

Mobile Access - AD users not belonging to an access role have access to mobile access portal

Jump to solution

Hi team,

I need your help on this matter.

 

Here is the environment

  • R80.40
  • Dedicated Management
  • Cluster of 5600

We are using MS Active Directory Integration with Access Mobile Access and we defined access role.

But, AD users not belonging to an access role have access to mobile access portal, why ? In the log we see in the usergroup_-"user do not belong to any group".

I want to know if this is an expected behaviour ? from my understanding, an Access Role is how the firewall determines what users are allowed access and those that are not define will be dropped.

Regards

Labels (1)
0 Kudos
Reply
1 Solution

Accepted Solutions
Wolfgang
Leader
Leader

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

View solution in original post

0 Kudos
Reply
7 Replies
PhoneBoy
Admin
Admin

It may be depending on how you've configured it.
Screenshots of the relevant configuration would be helpful.

0 Kudos
Reply
constant69
Explorer

Hi PhoneBoy,

Thank for your reply.

This is a basic configuration in R80.40 ( I have the same behavior in my lab R80.10)

- 2 Access roles

- 2 rules with the both access roles in the source and mobile access application

I have attached screenshots

 

Regards

0 Kudos
Reply
Wolfgang
Leader
Leader

@constant69 

are the users with no group-mebership able to login only and did not see any MOB-defined application ?

Wolfgang

0 Kudos
Reply
constant69
Explorer

Hi,

The users with no group-membership are able to login only and they did not see any MOB-defined application,

Regards

0 Kudos
Reply
Wolfgang
Leader
Leader

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

View solution in original post

0 Kudos
Reply
constant69
Explorer

Thank for your help on this matter.

To sum up, as we cannot select Access Roles, the following procedure is relevant
1) Create a ldap group that containt the AD users allowed
2) Then, select the previous ldap group in the remote access community

Regards

0 Kudos
Reply
constant69
Explorer

Hi Wolfgang,

Thank for your help on this matter: that solved my issue!

Regards

0 Kudos
Reply