07-21-2016 02:15 AM
We want to use an authentication profile that matches against a fairly generic LDAP AD group in the Allow list tab. Is there a way of creating exceptions to the allow list for blocking individual user accounts from using the service, should we need to at any stage?
07-25-2016 08:59 AM
Hello,
If I understand your inquiry correctly, yes you can block a single user. You would obviously need to have one of the user-id options available so scan for that users id. When it comes to the policies, make the more specific one higher prirority than the general one.
Example:
Security policy to block the single user
Security policy to allow everyone else
I hope this helps.
Cheers!
07-25-2016 11:25 AM
Otakar.Klier is correct; as long as you have the deny entry further above your allow entry then it would work perfectly fine and any user-id identified in your deny list is denied.
07-25-2016 08:59 AM
Hello,
If I understand your inquiry correctly, yes you can block a single user. You would obviously need to have one of the user-id options available so scan for that users id. When it comes to the policies, make the more specific one higher prirority than the general one.
Example:
Security policy to block the single user
Security policy to allow everyone else
I hope this helps.
Cheers!
07-25-2016 11:25 AM
Otakar.Klier is correct; as long as you have the deny entry further above your allow entry then it would work perfectly fine and any user-id identified in your deny list is denied.
07-26-2016 07:40 AM
Hi, yes I agree a security policy rule using the User-ID column can be used to block the traffic of a connected client, but the key here is that would only take effect after they've connected. What I was hoping to be able to achieve is to prevent a specific user authenticating in the first place, who is a member of the larger AD group referenced in the Allowed List.
As far as I can tell, the initating packets to set up the IPSec tunnel do not include a User-ID at this point, you only start seeing that column populated after the tunnel is established.
07-26-2016 10:06 AM
Hello,
So you do not wish for them to connect to the VPN? Perhaps I am not understanding your question properly.
Please advise,
07-26-2016 11:13 AM
Okay, then you would need to take them out of your authentification profile under the object tab. Under your LDAP/Radius/Whatever server there is an allow list under the advanced options. It might be worth making a VPN-Allow AD group and putting anyone who needs VPN access under that group, this would keep anybody that is not in that specific AD group access to the VPN gateway.
To my understanding their is no way to do a 'not' statement under this option.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
