cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting access with network connect

dtlam76_
Contributor

Restricting access with network connect

I currenlty am trying to setup network connect policy so that users in one of my roles can only access a predined list of ip addresses. I'm having issues with trying to get that setup up in resource policies-->Network Connect-->Network connect access control.

I created a new profile with the ip address that they are allow to access and applied them to the correct role but I can still access other resources on our network that are outside of that scope, when I log in as a user.

Any ideas?

4 REPLIES 4
ruc_
Regular Contributor

Re: Restricting access with network connect

The Profile defines settings like IP, dns, proxy, etc. For access control you need to set ACL's. For config help bring up the help interface (by clicking on 'help' from the admin GUI) and then under search enter the string 'Defining Network Connect Access Control Policies ' This config section will help you restrict access based on roles. Make sure you edit the allow all rule that is there by default.
dcvers_
Regular Contributor

Re: Restricting access with network connect

Resource policies for different roles are combined into a session policy for the user. Double check that another role is not also being mapped for the users and granting the additional access.
Daniel_Ilies_
New Contributor

Re: Restricting access with network connect

Hello,

First you should check the box at the Role Mapping page to stop the role evaluation once a apecific role is met - this should "stop" the role NC overlapping.

dtlam76_
Contributor

Re: Restricting access with network connect

I figured out what I was doing wrong thanks guys for your help.

The origional network connect policy which was configured for *.* or all resources, was interfering with my newly created policy that allowed users to access a scope of ip addresses.

I created a deny all policy just below that so that the intial network connect policy would not interfere with the new created policy. Then I assigned it to the newly created role and put the policy as the first in the order of presedence and viola it worked.

Message Edited by dtlam76 on 02-24-2009 09:42 AM