cancel
Showing results for 
Search instead for 
Did you mean: 

First post & already asking for help.

SOLVED
RobN_
New Contributor

First post & already asking for help.

Hi Guys

 

I signed up here for some help and advice and to hopefully brush up on my juniper skills... currently my skill level is somewhere around novice/n00b.

 

I have done a fair bit of searching online and cannot find a solution to this problem or even if it is possible.... Here goes

 

We have an SA2500 VPN, it is connected to one of our domain controllers for user authentication, we would like to be able to block the domain admin from being authorised a VPN login, all other users should still be allowed to connect. I have searched through the appliance and cannot seem to see a way to deny a specific AD user... Can this be done?

 

If so how?

 

Many Thanks
Rob

1 ACCEPTED SOLUTION

Accepted Solutions
Beetlejuice_
Occasional Contributor

Re: First post & already asking for help.

Yes - you can create a new role mapping to a role that does nothing - i.e. We have some that displays a webpage (delivered from an internal webserver) that basically explains why that particular user is not permitted to sign in but you need not go that far I guess. The new role mapping can be the DA username(s) or if there are loads (and I hope for your sake there are not Smiley Wink) you can point it to the DA Group in AD. Using the DA group is the safest because if a new user is added to DA's group then they will also receive the fake role whereas if you specify the username then the new user will be missed.

 

That new mapping needs to be above the "*" role mapping for all other users and you then need to tick the ' box for the new role mapping.

 

It works from top downwards. If a user is not in the DA Group it moves onto the next mapping. If the user is in the DA Group it stops and assigns the fake role.

 

Job done...

View solution in original post

4 REPLIES 4
Beetlejuice_
Occasional Contributor

Re: First post & already asking for help.

In the role mapping you can specify the users that can connect to the role - just don't include the Domain Admins? You could point the role mapping to a security group in AD that has all users other than the DA's.

Hope that helps...

RobN_
New Contributor

Re: First post & already asking for help.

Thanks for your reply

At the moment in the role mapping we have Username is "*" being assigned the role. I was hoping it would be possible to create a seperate mapping something like Username is "DomainADMIN" assign to no roles.... is that possible? or maybe add a new role that does nothing?

Beetlejuice_
Occasional Contributor

Re: First post & already asking for help.

Yes - you can create a new role mapping to a role that does nothing - i.e. We have some that displays a webpage (delivered from an internal webserver) that basically explains why that particular user is not permitted to sign in but you need not go that far I guess. The new role mapping can be the DA username(s) or if there are loads (and I hope for your sake there are not Smiley Wink) you can point it to the DA Group in AD. Using the DA group is the safest because if a new user is added to DA's group then they will also receive the fake role whereas if you specify the username then the new user will be missed.

 

That new mapping needs to be above the "*" role mapping for all other users and you then need to tick the ' box for the new role mapping.

 

It works from top downwards. If a user is not in the DA Group it moves onto the next mapping. If the user is in the DA Group it stops and assigns the fake role.

 

Job done...

View solution in original post

RobN_
New Contributor

Re: First post & already asking for help.

That's done the trick

Thanks