Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Exclude company network from Junos login

SOLVED
Go to solution
pctx_
Occasional Contributor
‎02-28-2013 02:41:PM
‎02-28-2013 02:41:PM

Exclude company network from Junos login

Hello All,

 

I've just setup a new policy for my end users and I am wanting to block anyone trying to access Junos while they are on the company network to not cause any weird looping issues.

 

I know that this is done in: Users -> User Roles -> Restrictions -> Source IP but I have no idea how to explicitly state IP ranges.

 

Any help would be greatly appreciated.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
zanyterp_
Respected Contributor
‎03-05-2013 11:49:AM
‎03-05-2013 11:49:AM

Re: Exclude company network from Junos login

Thank you for testing that and sending the data.
And in both scenarios your LAN IPs are appropriately denied, right?
If you look at your user access log, are you seeing that all the IPs are the same? If yes, and it is the IP you have allowed, it is probably time to open a TAC case and we can work from there. If not, meaning you are seeing mostly the external/internet IPs of folks as I am guessing since adding your home IP address allows you to connect, another rule modification for you. Smiley Happy


1) Remove the NAT allow rule

2) Add an allow rule for 255.255.255.255/0.0.0.0

3) Place the deny above the allow

4) Save changes

5) Login and test

View solution in original post

0 Kudos
18 REPLIES 18
zanyterp_
Respected Contributor
‎03-01-2013 07:23:PM
‎03-01-2013 07:23:PM

Re: Exclude company network from Junos login

is your internal LAN using the same IP range? if yes, you casn set it as 10.0.0.0/8 and deny.

if you NAT to your IVE from the internet, so only one IP is seen, you can set the allow as 10.71.6.4/32

does that answer what you are looking for?

0 Kudos
pctx_
Occasional Contributor
‎03-04-2013 03:39:PM
‎03-04-2013 03:39:PM

Re: Exclude company network from Junos login

Internal LAN is using the same IP range.

 

Example:

172.16.x.x/20

 

MAG 172.16.0.150

 

DHCP address leases: 172.16.11.1-172.16.14.255 

DHCP Leases for MAG users: 172.16.6.x-50

 

I want to explicitly deny anything with a 172.16.x.x address from getting an IP address internally to avoid loopbacks or errors.

 

more to the point, when specifying an IP address, do you simplely use CIDR for the IP address + range w/o putting in the netmask?

 

Thanks for the help.

0 Kudos
zanyterp_
Respected Contributor
‎03-05-2013 06:45:AM
‎03-05-2013 06:45:AM

Re: Exclude company network from Junos login

You have to include the netmask as one of the fields before you can add the restriction.
172.16.0.0 as the IP and netmask of 255.255.0.0 would allow or deny anything with 172.16.x.x; you would set the correct value in the netmask fields for the /20 you used in your sample. Or you can create four lines, one for each network range.
The only caveat would be to make sure that if you are NATting that you allow that IP and deny the rest.
0 Kudos
pctx_
Occasional Contributor
‎03-05-2013 07:12:AM
‎03-05-2013 07:12:AM

Re: Exclude company network from Junos login

Awesome.  Thank you so much, I'll give that a shot and report back.

0 Kudos
pctx_
Occasional Contributor
‎03-05-2013 07:26:AM
‎03-05-2013 07:26:AM

Re: Exclude company network from Junos login

So no dice.  

 

I put 172.16.0.150/32 (or 255.255.255.255) as the only allowed IP address and put 172.16.0.0/16 as the deny from and it still is allowing me to connect from the 172.16.x.x network.

 

Order is Deny first, allow second.  My account is only part of one group so permissions aren't an issue.

0 Kudos
zanyterp_
Respected Contributor
‎03-05-2013 07:55:AM
‎03-05-2013 07:55:AM

Re: Exclude company network from Junos login

Did the save for enabling the policy take? (meaning if you change the radio button and add the IPs, it reverts to the allow all until you put it back.)
What does your policy trace say when you connect? Is this the only realm on the URL you are logging in against?
0 Kudos
pctx_
Occasional Contributor
‎03-05-2013 07:59:AM
‎03-05-2013 07:59:AM

Re: Exclude company network from Junos login

Here's a screenshot of what I'm looking at in Users-Users Roles-Restrictions

 

 

In terms of the policy trace, haven't done that before.  I'm assuming that's documented in the MAG documentation?

0 Kudos
zanyterp_
Respected Contributor
‎03-05-2013 10:34:AM
‎03-05-2013 10:34:AM

Re: Exclude company network from Junos login

Thank you for the screenshot; couple items to change:

1) enable the option for "allow or deny users from the following IP addresses" and then save changes
2) swap the policies so the allow is first and then the deny and save changes
0 Kudos
pctx_
Occasional Contributor
‎03-05-2013 10:54:AM
‎03-05-2013 10:54:AM

Re: Exclude company network from Junos login

Cool.

 

So one step closer.  I was able to restrict everyone on the 172.16.x.x/16 subnet from logging in, but external people trying to login got rejected as well even though I allowed the internal IP and the NAT'ed IP address to connect.  Here's what I'm seeing in the logs:

 

Info AUT23457 2013-03-05 10:47:08 - ive - [X.X.X.X] username(User Realm)[] - Login failed. Reason: NoRoles
Info AUT23361 2013-03-05 10:47:08 - ive - [X.X.X.X] username (User Realm)[] - Login failed from X.X.X.X for username/User Realm. All roles restricted.
Info AUT24326 2013-03-05 10:47:08 - ive - [X.X.X.X] username(Warner Pacific Realm)[] - Primary authentication successful for usernameLDAP from X.X.X.X

 

I feel like I"m having a major brain far on this.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.