Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
constant69
Contributor
Jump to solution

Mobile Access - AD users not belonging to an access role have access to mobile access portal

Hi team,

I need your help on this matter.

 

Here is the environment

  • R80.40
  • Dedicated Management
  • Cluster of 5600

We are using MS Active Directory Integration with Access Mobile Access and we defined access role.

But, AD users not belonging to an access role have access to mobile access portal, why ? In the log we see in the usergroup_-"user do not belong to any group".

I want to know if this is an expected behaviour ? from my understanding, an Access Role is how the firewall determines what users are allowed access and those that are not define will be dropped.

Regards

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

It may be depending on how you've configured it.
Screenshots of the relevant configuration would be helpful.

0 Kudos
constant69
Contributor

Hi PhoneBoy,

Thank for your reply.

This is a basic configuration in R80.40 ( I have the same behavior in my lab R80.10)

- 2 Access roles

- 2 rules with the both access roles in the source and mobile access application

I have attached screenshots

 

Regards

0 Kudos
Wolfgang
Authority
Authority

@constant69 

are the users with no group-mebership able to login only and did not see any MOB-defined application ?

Wolfgang

0 Kudos
constant69
Contributor

Hi,

The users with no group-membership are able to login only and they did not see any MOB-defined application,

Regards

0 Kudos
Wolfgang
Authority
Authority

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

0 Kudos
constant69
Contributor

Thank for your help on this matter.

To sum up, as we cannot select Access Roles, the following procedure is relevant
1) Create a ldap group that containt the AD users allowed
2) Then, select the previous ldap group in the remote access community

Regards

0 Kudos
constant69
Contributor

Hi Wolfgang,

Thank for your help on this matter: that solved my issue!

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events