| Solution |
The steps in this article assume the following setup:
- User1 should have only access to the server lab_srv (10.86.9.78).
- User2 should have access to two servers lab_srv (10.86.9.78) and 10.86.9.42.
- It is necessary to import two groups (user1grp and user2grp) from the LDAP server:
- Configure two portals, one for each group. Make sure to assign different IP ranges for both groups. While configuring routing address override, add the destination addresses that users should be allowed to access on the respective portal.
- Configure Authentication rules under the SSL VPN setting such that group1 is mapped with portal1 and group2 is mapped with portal2.
- Configure firewall policies for respective groups and resource access to be given separately.
The above configuration will allow user2 to access both the servers 10.86.9.42 & 10.86.9.78 whereas user1 will be access to only one server i.e. 10.86.9.78
Verification:
commands for SSL VPN debug:
diag debug reset
diag debug application sslvpn -1
diag debug application fnbamd -1
diag debug console timestamp enable
diag debug enable
User1 SSL VPN debug:
[403] ldap_copy_grp_list-copied CN=user1grp,CN=Users,DC=dxblab,DC=local
[403] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dxblab,DC=local
[1149] fnbam_user_auth_group_match-req id: 744663949, server: ldap_lab, local auth: 0, dn match: 1
[1118] __group_match-Group 'user1grp' passed group matching
[1121] __group_match-Add matched group 'user1grp'(4)
[2413] fnbamd_ldap_result-Passed group matching
[229] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 744663949, len=2657
[2308:root:2c]fam_auth_proc_resp:1368 fnbam_auth_update_result return: 0 (success)
[2308:root:2c][fam_auth_proc_resp:1508] Authenticated groups (1) by FNBAM with auth_type (16):
[2308:root:2c]deconstruct_session_id:505 decode session id ok, user=[user1], group=[user1grp],authserver=[ldap_lab],portal=[user1_portal],host[10.5.23.237],realm=[],csrf_token=3831424BD2BB7A092DC1D7A646A6223],idx=0,auth=16,sid=45efc635,login=1709035789,access=1709035789,saml_logout_url=no,pip=90.83.10.129,grp_info=[TEPhGG],rmt_grp_info=[T0ChcK]
User1 PC - Route table output. There is only one entry for the server 10.86.9.78.
User2 SSL VPN debug:
[2401] fnbamd_ldap_result-Result for ldap svr 10.86.9.78(ldap_lab) is SUCCESS
[403] ldap_copy_grp_list-copied CN=user2grp,CN=Users,DC=dxblab,DC=local
[403] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dxblab,DC=local
[1149] fnbam_user_auth_group_match-req id: 744663952, server: ldap_lab, local auth: 0, dn match: 1
[1118] __group_match-Group 'user2grp' passed group matching
[1121] __group_match-Add matched group 'user2grp'(5)
[2413] fnbamd_ldap_result-Passed group matching
[229] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 744663952, len=2657
[2308:root:38]fam_auth_proc_resp:1368 fnbam_auth_update_result return: 0 (success)
[2308:root:38]deconstruct_session_id:505 decode session id ok, user=[user2], group=[user2grp],authserver=[ldap_lab],portal=[user2_portal],host[10.5.23.237],realm=[],csrf_token=[A5C4A7B556F535B3BF178A0379AA266],idx=0,auth=16,sid=1aafef0a,login=1709036468,access=1709036468,saml_logout_url=no,pip=90.83.10.129,grp_info=[uDvanK],rmt_grp_info=[Se1CxI]
User2 PC - Route table output. It is possible to see the route for both servers 10.86.9.78 and 10.86.9.42.
|
