cancel
Showing results for 
Search instead for 
Did you mean: 

NO ROLES ASSIGNED

kanorro_
Contributor

NO ROLES ASSIGNED

Hi

I have created a rule in Role Mapping with a AD group and its working correctly (ROLE RESTRICTIONS SUCCESFULLY PASSED FOR ROLES (ACCESO VPN-SSL)

so i need to create other rule for other Goup but when i add this rule NOTHING WORKS

its like only administrators can create more rules but not normal users or new users.

Can there be any restrictions on users in AD?
i have revised the configuration about roles, group (AD) and everything is ok

In the picture 1 you can see the successful login with user VASCO (admin DC) using the rol.

In the picture 2 you can see the FAILED login. Reasons: NO ROLES

Anyone else have this problem - any fix????

THANKS

30 REPLIES 30
Lilja_
Frequent Contributor

Re: NO ROLES ASSIGNED

Use Troubleshooting>Policy Tracing to get some more information about the role mapping..

kanorro_
Contributor

Re: NO ROLES ASSIGNED

I have used Troubleshooting>Policy Tracing, the screenshot attach are on it.

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

In picture 2, the user is not a member of either group that is defined. You can see in the policy trace where the group membership state is false.

Was the user a member of either group when you tested?

Did the join succeed, further up in the policy trace, for getting user groups?

kanorro_
Contributor

Re: NO ROLES ASSIGNED

The user is member of that group but i do not why when i add other rule the juniper donesnt match anything.

The rule one work perfectly alone but when i add other rule (3.COMITE DE DIRECCION) it works anything.

I have found this documentation about my problem

ERROR PTR23334

http://www.juniperforum.com/index.php?topic=4304.0

https://forums.pulsesecure.net/topic/pulse-connect-secure/36681-ldap-role-mapping-using-group-attrib...

What can i do??

Thanks

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

How did you add the group to the server catalog to query for it: did you add it in the search box or through finding it in the list through a search in the popup window?

 

The link you sent over is for an LDAP server instance; based on what you have posted, you are using the AD/NT server type , which is different.

Can you upload your entire policy trace for a working and failed user (either here or direct-to-me)?

The AD server is sending back that the user is not a member of the group.

kanorro_
Contributor

Re: NO ROLES ASSIGNED

Ok, i am going to do a brief summary about i have and i do.

I have 2 Authentication server. Primary Active Directory and second TOKEN VASCO.

this procedure i do to configure a group.

1) I add a user in a group in Active Directory

2) I create a rol for that group

3) I go to ROLE MAPPING AD+TOKEN, i click in NEW RULE, i choose the option GROUPS and i click in update then i go to SEARCH and i can see all the groups of my domain "CREDITOCAUCION\ACESSO VPN-SSL" so i choose that group and i add it.

Yes i know but the user IS member of that group.

im going to my client tomorrow to try to fix it. ill do a full screenshot and ill post it.

THANKS

spuluka
Super Contributor

Re: NO ROLES ASSIGNED

Upgrade to the latest release in your chain. I had this same issue and it turned out to be a customer PR that was fixed in the newer releases.

The issue only affects role mapping of groups and the system is not able to correctly determine that the user is a member of the group.

Rebooting would also clear the issue for us for a period of time but it would reappear again later.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
kanorro_
Contributor

Re: NO ROLES ASSIGNED

i attach one whole log.

i think im doing something wrong with authentication server or domain controller. help please

kanorro_
Contributor

Re: NO ROLES ASSIGNED

i have the last firmware 7.1R5 (build 19757) and i have tried to reboot and its the same :smileysad: