cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking local end-user private IP from logging in to SA-2500

SOLVED
StarLog
New Contributor

Blocking local end-user private IP from logging in to SA-2500

We have several end-users that go into one of our service centers, and connect to the corporate network, then launch pulse secure. They do not need pulse secure, since they are now on the corporate network, but they don't listen. We want to block them from logging in to the SA-2500 , and thought that blocking the User Role, at the Source Restriction was a good start.

This does not seem to work. They are still able to log in to the SA-2500. So the end user is on 192.168.201.0/24 segment.
When we use the public IP, it definately blocks, but should also block on the private IP.

This is the table, I am using.

1 ACCEPTED SOLUTION

Accepted Solutions
StarLog
New Contributor

Re: Blocking local end-user private IP from logging in to SA-2500

[img][URL=http://s1376.photobucket.com/user/tfrench1/media/Capture_zpsi5xiydqk.gif.html][IMG]http://i1376.photobucket.com/albums/ah33/tfrench1/Capture_zpsi5xiydqk.gif[/IMG][/URL][/img]

View solution in original post

3 REPLIES 3
StarLog
New Contributor

Re: Blocking local end-user private IP from logging in to SA-2500

[img][URL=http://s1376.photobucket.com/user/tfrench1/media/Capture_zpsi5xiydqk.gif.html][IMG]http://i1376.photobucket.com/albums/ah33/tfrench1/Capture_zpsi5xiydqk.gif[/IMG][/URL][/img]
StarLog
New Contributor

Re: Blocking local end-user private IP from logging in to SA-2500

How do we EDIT our posts, this is crazy stupid.
zanyterp
Moderator

Re: Blocking local end-user private IP from logging in to SA-2500

When you check the user access log, is that the role the user is getting?
What does the policy trace say for the user regarding the source IP policy?
I would recommend a block on the realm rather than the role as if there is anything that the user would map other than that one role, the login would succeed.
This is done at Users>User Realms>realmName>Authentication Policy>Source IP

another option is if you are using Pulse only, you can create a location awareness rule that is set to NOT connect when the DNS is your local DNS and disable manual connections.