WatchGuard VPN Connection Setup
This question is continuation of this question:
https://www.experts-exchange.com/questions/23885304/WatchGuard-Firewall-Setting-up-VPN-IPSec.html?anchorAnswerId=22922710#a22922710
we created a group on our server "VPN_AD" and assigned some users to it, we can authenticate just fine however, even users outside this VPN_AD group and active directory users can still authenticate as well.
is there anyway to limit access to those users only in the VPN_AD group?
https://www.experts-exchange.com/questions/23885304/WatchGuard-Firewall-Setting-up-VPN-IPSec.html?anchorAnswerId=22922710#a22922710
we created a group on our server "VPN_AD" and assigned some users to it, we can authenticate just fine however, even users outside this VPN_AD group and active directory users can still authenticate as well.
is there anyway to limit access to those users only in the VPN_AD group?
Hi,
If the user you have configured is not part of the VPN group then he would not get authenticated; typically this is what should happen; let's say on AD you have group VPN_AD with users a and b as the only members.
Now a third user c connects to VPN; firebox sends details to AD for c'; and as c is not part of VPN_AD group, AD send reject, firebox would deny any more access to the user. The point here to understand is if for some reason AD sends allow or accept then FB would allow the user c.
Finally in the policy which is created to allow access to remote users, again if the AD says allow that policy would be used to grant access to remote users to the shared resources.
Please check what is the response sent by AD to FB; you can enable logging and you would be able to see the logs runtime in firebox system manager.
As already told to you, I would not be able to assist you with AD configuration or settings.
Thank you.
If the user you have configured is not part of the VPN group then he would not get authenticated; typically this is what should happen; let's say on AD you have group VPN_AD with users a and b as the only members.
Now a third user c connects to VPN; firebox sends details to AD for c'; and as c is not part of VPN_AD group, AD send reject, firebox would deny any more access to the user. The point here to understand is if for some reason AD sends allow or accept then FB would allow the user c.
Finally in the policy which is created to allow access to remote users, again if the AD says allow that policy would be used to grant access to remote users to the shared resources.
Please check what is the response sent by AD to FB; you can enable logging and you would be able to see the logs runtime in firebox system manager.
As already told to you, I would not be able to assist you with AD configuration or settings.
Thank you.
ASKER
Thanks dpk_wal for your reply,
I understand your answer and its logical but the problem i am facing (I think) its within the firebox itself and not with the AD. The firebox is authenticating against all users in AD and not a group within AD, so this makes me to beleive that I am either missing something like adding a MemberOf string or something like that.
it looks to us that everytime we enter a user, the FB grabs its user name and password and passing them to AD saying "here is a user I have and I want to know if he/she is an active directory user or not?"
checking the logs, everything is being granted access within Active Directory regardless of its group.
Thanks again
I understand your answer and its logical but the problem i am facing (I think) its within the firebox itself and not with the AD. The firebox is authenticating against all users in AD and not a group within AD, so this makes me to beleive that I am either missing something like adding a MemberOf string or something like that.
it looks to us that everytime we enter a user, the FB grabs its user name and password and passing them to AD saying "here is a user I have and I want to know if he/she is an active directory user or not?"
checking the logs, everything is being granted access within Active Directory regardless of its group.
Thanks again
Did you upload the settings file on the client again after you made changes to firebox; please every time you make a change the client either needs to be updated manually or you need take the wgx file and reload it.
Normally if the user is not part of the group which should be same on both AD and firebox then the AD sends a deny.
Thank you.
Normally if the user is not part of the group which should be same on both AD and firebox then the AD sends a deny.
Thank you.
ASKER
yes, I did but the firebox still authenticate it, I think I have to talk to watch guard and see what they think
Thanks
Thanks
ASKER
It seems the AD authentication checks to see if the user exists in AD for a successful authentication. What we want to do is to check to see if a user is a member of a security group in AD not if they exist. I'm not sure if this is possible with the AD interface in the Watchguard. We realize we can search a specific directory location in AD but this does not help us as our users already have a structure which we cannot modify to place users in a VPN ALLOWED folder. The Group String is interesting because what we really want to query is something like memberOf = Mobile Users.
Have you ever seen this type of configuration done?
Have you ever seen this type of configuration done?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for trying to help me out
ASKER
anyone knows?