SRX

Expand all | Collapse all

Dynamic VPN - multiple user classes

Jump to Best Answer
  • 1.  Dynamic VPN - multiple user classes

    Posted 01-19-2018 06:10

    I have a dynamic VPN profile which seems to work. Users can log in using their AD domain accounts, get their protected resources and everything runs ok.

    Bu the question remains whether I can somehow differentiate between two (or more) user groups and selectively allow access from VPN clients to protected resources.

    For example, I would want something similar to:

    1) Users that are in group G1 in AD  can access everything (for example - 10.0.0.0/8 and 192.168.0.0/16)

    2) Users that are in group G2 in AD can access only 10.0.0.0/8

    Is it possible with dynamic vpn? I mean - I could of course filter by IP but can I create two different IP pools and set client's IP by group membership?

     

    Regards

    MK

     



  • 2.  RE: Dynamic VPN - multiple user classes
    Best Answer

    Posted 02-05-2018 23:37

    OK. Unable to find KB30927 I managed to devise a similar solution by myself. It seems that you can create something like

    admin@gw1> sh security dynamic-vpn-clients
    aaa-test {
            remote-protected-resources {
                172.16.0.0/16;
        }
        ipsec-vpn test-dyn-vpn;
        user-groups {
            ADGROUP1;
        }
    }
    all {
        remote-protected-resources {
            192.168.0.0/16;
        }
        ipsec-vpn test-dyn-vpn;
        user-groups {
            ADGROUP2;
        }
    }

    It's enough for me for now - users from different groups get different routings and it's more or less as I need it. I think I could create another instance of ike gateway and ipsec configuration and attach it to the ADGROUP2 instead of the same config that I use for ADGROUP1. That would give me the possibility to define separate IP pool for the clients and allow to not only manipulate routings on client side but also to filter the traffic actively on the SRX box. But for now it's not worth the effort.

     

    I have a big issue though with the dynamic vpn functionality. If you log in for the first time, the dynamic vpn creates a ticket in local database and moving users within the AD (or any other authentication source I believe) doesn't change how the SRX perceives said user. So if I have a user who is in ADGROUP1 and logs in for the first time subsequent move within the AD to the ADGROUP2 doesn't change the fact that SRX still sees him as ADGROUP1 member. I have to manualy remove the ticket from the DB (as in KB17455) and restart the web-management service. This is a bit ridiculous.

     

    MK