I have created a rule in Role Mapping with a AD group and its working correctly (ROLE RESTRICTIONS SUCCESFULLY PASSED FOR ROLES (ACCESO VPN-SSL)
so i need to create other rule for other Goup but when i add this rule NOTHING WORKS
its like only administrators can create more rules but not normal users or new users.
In the picture 1 you can see the successful login with user VASCO (admin DC) using the rol.
In the picture 2 you can see the FAILED login. Reasons: NO ROLES
Anyone else have this problem - any fix????
In picture 2, the user is not a member of either group that is defined. You can see in the policy trace where the group membership state is false.
Was the user a member of either group when you tested?
Did the join succeed, further up in the policy trace, for getting user groups?
The user is member of that group but i do not why when i add other rule the juniper donesnt match anything.
The rule one work perfectly alone but when i add other rule (3.COMITE DE DIRECCION) it works anything.
I have found this documentation about my problem
What can i do??
How did you add the group to the server catalog to query for it: did you add it in the search box or through finding it in the list through a search in the popup window?
The link you sent over is for an LDAP server instance; based on what you have posted, you are using the AD/NT server type , which is different.
Can you upload your entire policy trace for a working and failed user (either here or direct-to-me)?
The AD server is sending back that the user is not a member of the group.
Ok, i am going to do a brief summary about i have and i do.
I have 2 Authentication server. Primary Active Directory and second TOKEN VASCO.
this procedure i do to configure a group.
1) I add a user in a group in Active Directory
2) I create a rol for that group
3) I go to ROLE MAPPING AD+TOKEN, i click in NEW RULE, i choose the option GROUPS and i click in update then i go to SEARCH and i can see all the groups of my domain "CREDITOCAUCION\ACESSO VPN-SSL" so i choose that group and i add it.
Yes i know but the user IS member of that group.
im going to my client tomorrow to try to fix it. ill do a full screenshot and ill post it.
Upgrade to the latest release in your chain. I had this same issue and it turned out to be a customer PR that was fixed in the newer releases.
The issue only affects role mapping of groups and the system is not able to correctly determine that the user is a member of the group.
Rebooting would also clear the issue for us for a period of time but it would reappear again later.