Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Contributor

remote access identies and non-authenticating gateways

As the title suggests, I'm trying to figure out how to get remote access identities/ip association to all the other gateways in the environment for policy rules - I must be missing something.

  • All versions are at least R80.20
  • We use the CP mobile client w CP internal users & .p12 certs.  Using office mode.
  • All clients come in via one gateway and once authenticated, can route to 8 other gateways via an any-to-any MPLS mesh
  • We use IDC to collect and distribute our domain identities to all gateways.  In addition, I've enabled "identity sharing" on the gateway that authenticates remote access, and set all other gateways to "get identities" from it - with "remote access" selected as a "identity source"
  • This is really only an issue for remote access users that are not in our domain.  A remote access user that is in our domain will be identified correctly by the IDC within a few seconds of logging on via remote access.

Here is an example of a connection via a remote access user to inside the network.

remote user -> GatewayA -> MPLS ->GatewayB ->server

looking at the logs for that connection:

  • The log from GatewayA would show the AD user account + remote access user name.  This is expected.
  • The log from GatewayB would only show the AD user account.  If the remote  user is a vendor and not in our domain, i can't use their identity in a rule/role unless i use the ipassignment.conf file - which is untenable.

Sorry for the long post, any help would be appreciated.  Is there a way to get the remote access username/ip association to the non-authenticating gateways?

Thanks.

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Group for Identity Awareness purposes usually comes from LDAP.
You could do something like "any identified user" to handle vendors versus your internal users, which would be in specific AD groups.
Or did that not work?

0 Kudos
D_TK
Contributor

Thanks for replying, much appreciated.

That would open the rule up to too many users  - the vendors would normally have access to something that most generic users wouldn't have access to.  So there's no way for the "VPN concentrator" gateway to share those locally authenticated vpn user /ip associations with the other gateways?  If not, do you know if a blend of ipassignment.conf and DHCP office mode works.  I can add the few vendors in the conf file and create static objects for their access as long as the gateway doesn't dynamically assign addresses that are in the conf file.

I'd love to hear how other sites handles this - vpn users get authenticated on one gateway, and you need to apply granular policy around their access of other gateways.

as always, any guidance is appreciated.

 

0 Kudos
Nüüül
Advisor

Hello,

 

I would try to add these users at the MPLS participating gateways too. Passwords and the certificate they are using will not matter I assume. Or add such "dummy users" at the AD or another "standalone" LDAP source.

How many external users are there? the first one might be much more work, but you keep the AD free from those externals. 

0 Kudos
PhoneBoy
Admin
Admin

You should be able to create a rule that denies your internal users in defined groups access to the relevant resources.
That rule would be above your rule allowing “all identified users.”

0 Kudos