As the title suggests, I'm trying to figure out how to get remote access identities/ip association to all the other gateways in the environment for policy rules - I must be missing something.
- All versions are at least R80.20
- We use the CP mobile client w CP internal users & .p12 certs. Using office mode.
- All clients come in via one gateway and once authenticated, can route to 8 other gateways via an any-to-any MPLS mesh
- We use IDC to collect and distribute our domain identities to all gateways. In addition, I've enabled "identity sharing" on the gateway that authenticates remote access, and set all other gateways to "get identities" from it - with "remote access" selected as a "identity source"
- This is really only an issue for remote access users that are not in our domain. A remote access user that is in our domain will be identified correctly by the IDC within a few seconds of logging on via remote access.
Here is an example of a connection via a remote access user to inside the network.
remote user -> GatewayA -> MPLS ->GatewayB ->server
looking at the logs for that connection:
- The log from GatewayA would show the AD user account + remote access user name. This is expected.
- The log from GatewayB would only show the AD user account. If the remote user is a vendor and not in our domain, i can't use their identity in a rule/role unless i use the ipassignment.conf file - which is untenable.
Sorry for the long post, any help would be appreciated. Is there a way to get the remote access username/ip association to the non-authenticating gateways?
Thanks.