Blocking local end-user private IP from logging in to SA-2500
We have several end-users that go into one of our service centers, and connect to the corporate network, then launch pulse secure. They do not need pulse secure, since they are now on the corporate network, but they don't listen. We want to block them from logging in to the SA-2500 , and thought that blocking the User Role, at the Source Restriction was a good start.
This does not seem to work. They are still able to log in to the SA-2500. So the end user is on 192.168.201.0/24 segment. When we use the public IP, it definately blocks, but should also block on the private IP.
Re: Blocking local end-user private IP from logging in to SA-2500
When you check the user access log, is that the role the user is getting? What does the policy trace say for the user regarding the source IP policy? I would recommend a block on the realm rather than the role as if there is anything that the user would map other than that one role, the login would succeed. This is done at Users>User Realms>realmName>Authentication Policy>Source IP
another option is if you are using Pulse only, you can create a location awareness rule that is set to NOT connect when the DNS is your local DNS and disable manual connections.