cancel
Showing results for 
Search instead for 
Did you mean: 

Exclude company network from Junos login

SOLVED
pctx_
Occasional Contributor

Re: Exclude company network from Junos login

Also--- I'm explictly giving 172.16.6.x-6.50 for DHCP for the VPN users, I'm guessing that the 172.16.x.x/16 denial is what is causing them not to get an IP but then anytime I try to login from the outside world, I get denied as it is stating I am not authorized to login.

zanyterp_
Respected Contributor

Re: Exclude company network from Junos login

Glad to hear it is getting closer to working.
Back to the policy trace question you had: it is a recording of policies applied to user login (it is in the admin guide); for our purposes here can you do the following:


1) Go to Maintenance>Troubleshooting>User Sessions>Policy tracing

2) Set the username to the user you will test with

3) Set the realm to the realm you will login with

4) Set the events to record to only pre-authentiation, authentication, and role mapping

5) Start recording

6) Login as a user

7) Go back to the same spot and click on "view log"

8) The output is a list of policies applied

9) In that list you will see one regarding the IP restriction

10) It will give you the IP you are connecting with as well as the policy it matched against
zanyterp_
Respected Contributor

Re: Exclude company network from Junos login

So far the issue is that you can't complete login; the IP assignment shouldn't come in to play yet.
pctx_
Occasional Contributor

Re: Exclude company network from Junos login

So here's the deal.... if I add my home IP to the "allow" IP list, I can login, if I remove it, i cannot login as it comes back and says no roles.

 

See below, first is without my IP added as allowed, second is:

 

W/o adding my IP:

Info PTR10305 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - Variable groups@LDAP = "Apps-VPN"
Info PTR10218 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN = '*''
Info PTR10212 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - Mapped to roles Apps-VPN by rule 'groups = 'Apps-VPN''
Info PTR10218 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN{-}Trusted = '*''
Info PTR10218 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'groups = 'Apps-VPN-Trusted''
Info PTR10218 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN{-}Employees = '*''
Info PTR10218 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'groups = 'Apps-VPN-Employees''
Info PTR10205 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - Realm User Realm mapped user username to roles Apps-VPN
Info PTR23352 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - IP restriction check failed for role Apps-VPN
Info PTR23354 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - All roles restricted
Info PTR23334 2013/03/05 11:15:52 - [X.X.X.1X] - username(User Realm)[] - Sign-in rejected. Reason: NoRoles

 

Adding my IP as allowed:

Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable group.Apps-VPN = true
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable group.Apps-VPN-Trusted = false
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable group.Apps-VPN-Employees = false
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable userAttr@LDAP.cn = "Aaron Hockett"
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable userAttr@LDAP.department = "Information Technology"
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable userAttr@LDAP.primaryGroupID = "1149"
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable userAttr@LDAP.sAMAccountName = "username"
Info PTR10305 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Variable groups@LDAP = "Apps-VPN"
Info PTR10218 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN = '*''
Info PTR10212 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Mapped to roles Apps-VPN by rule 'groups = 'Apps-VPN''
Info PTR10218 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN{-}Trusted = '*''
Info PTR10218 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'groups = 'Apps-VPN-Trusted''
Info PTR10218 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'userAttr.Apps{-}VPN{-}Employees = '*''
Info PTR10218 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - No match on rule 'groups = 'Apps-VPN-Employees''
Info PTR10205 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Realm User Realm mapped user username to roles Apps-VPN
Info PTR233X 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[] - Role restrictions successfully passed for roles: Apps-VPN
Info PTR23362 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[Apps-VPN] - Sign-in successful, creating session
Info PTR23363 2013/03/05 11:22:20 - [X.X.X.1X] - username(User Realm)[Apps-VPN] - Session created, redirecting user to start page. Sign-in done.

zanyterp_
Respected Contributor

Re: Exclude company network from Junos login

Thank you for testing that and sending the data.
And in both scenarios your LAN IPs are appropriately denied, right?
If you look at your user access log, are you seeing that all the IPs are the same? If yes, and it is the IP you have allowed, it is probably time to open a TAC case and we can work from there. If not, meaning you are seeing mostly the external/internet IPs of folks as I am guessing since adding your home IP address allows you to connect, another rule modification for you. Smiley Happy


1) Remove the NAT allow rule

2) Add an allow rule for 255.255.255.255/0.0.0.0

3) Place the deny above the allow

4) Save changes

5) Login and test

View solution in original post

pctx_
Occasional Contributor

Re: Exclude company network from Junos login

BOOM!!! That worked!!  So offsite now is working flawlessly and anything internally is being denied.

 

So now my question to understand all of this.... is the IP address 255.255.255.255 (is the MAG) and allow access to 0.0.0.0 (is basically anything on the network after authentication) correct?

 

Just making sure I'm understanding the logic. Smiley Happy  Thanks again for the help!

zanyterp_
Respected Contributor

Re: Exclude company network from Junos login

Sweet; glad to hear it is working in real life as well as my lab Smiley Happy
The IP address 255.255.255.255 is the broadcast/all bits on; 0.0.0.0 is the subnet wildcard to match any value in that place....essentially, telling the system to match any IP address and not care about what it actually matches to as long as it is valid. It is not matching on the MAG itself but what the MAG sees inbound for the user.

Glad to help.
pctx_
Occasional Contributor

Re: Exclude company network from Junos login

Cool deal.  Thanks again!

zanyterp_
Respected Contributor

Re: Exclude company network from Junos login

You are welcome; glad to assist Smiley Happy