Authentication profile + Kerberos + group restrictions - should work?

Reply
Highlighted
L3 Networker

Authentication profile + Kerberos + group restrictions - should work?

Running 4.0.5 here.

I setup SSL VPN a while ago, and setup an authentication profile to pull from our Active Directory via Kerberos.  I have an AD group and I only want the members of that group (or members of groups that are children of that master group) to have VPN access.

I only add that single group to the allow list, and nothing else.

For some period of time, this was working correctly.  I have users that are in that group and could access the VPN, as well as users in sub-groups that could also access it.

After some period of time, with zero changes to anything SSL-VPN or authentication related, this has stopped working.  I'm now getting a generic "invalid username or password" error, when it was working perfectly in the past.

If I edit the authentication profile and remove the group restriction and instead change to "all," everything works again, but I am no longer restricting VPN access as I would like.

What's going on here?

I have found from searches that group restrictions are not supported with LDAP... but I'm using Kerberos and couldn't find anything about it one way or another.  If it is not supposed to work with group restrictions, how the heck was it working for me in the past!?

Highlighted
L4 Transporter

Please could you open a case with the Support team so they may take a closer look.

Highlighted
L1 Bithead

Hi,

did the support resolve your problem with using Groups with Kerberos authentication ? Can you post the solution ? Thanks !

Highlighted
L4 Transporter

I would be interested in a solution as well.

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!