I've just setup a new policy for my end users and I am wanting to block anyone trying to access Junos while they are on the company network to not cause any weird looping issues.
I know that this is done in: Users -> User Roles -> Restrictions -> Source IP but I have no idea how to explicitly state IP ranges.
Any help would be greatly appreciated.
Solved! Go to Solution.
is your internal LAN using the same IP range? if yes, you casn set it as 10.0.0.0/8 and deny.
if you NAT to your IVE from the internet, so only one IP is seen, you can set the allow as 10.71.6.4/32
does that answer what you are looking for?
Internal LAN is using the same IP range.
DHCP address leases: 172.16.11.1-172.16.14.255
DHCP Leases for MAG users: 172.16.6.x-50
I want to explicitly deny anything with a 172.16.x.x address from getting an IP address internally to avoid loopbacks or errors.
more to the point, when specifying an IP address, do you simplely use CIDR for the IP address + range w/o putting in the netmask?
Thanks for the help.
Awesome. Thank you so much, I'll give that a shot and report back.
So no dice.
I put 172.16.0.150/32 (or 255.255.255.255) as the only allowed IP address and put 172.16.0.0/16 as the deny from and it still is allowing me to connect from the 172.16.x.x network.
Order is Deny first, allow second. My account is only part of one group so permissions aren't an issue.
Here's a screenshot of what I'm looking at in Users-Users Roles-Restrictions
In terms of the policy trace, haven't done that before. I'm assuming that's documented in the MAG documentation?
So one step closer. I was able to restrict everyone on the 172.16.x.x/16 subnet from logging in, but external people trying to login got rejected as well even though I allowed the internal IP and the NAT'ed IP address to connect. Here's what I'm seeing in the logs:
|Info||AUT23457||2013-03-05 10:47:08 - ive - [X.X.X.X] username(User Realm) - Login failed. Reason: NoRoles|
|Info||AUT23361||2013-03-05 10:47:08 - ive - [X.X.X.X] username (User Realm) - Login failed from X.X.X.X for username/User Realm. All roles restricted.|
|Info||AUT24326||2013-03-05 10:47:08 - ive - [X.X.X.X] username(Warner Pacific Realm) - Primary authentication successful for usernameLDAP from X.X.X.X|
I feel like I"m having a major brain far on this.