Re: VPN restrict users in group and time

pspecht · ‎02-24-2022

Im trying to follow this article

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43638

But I cant seem to figure it out.

I dont want to restrict all users

I would like to set up restrictions for Non-Exempt employees so they cannot authenticate after a certain time.

I have a windows security group (Non-exempt Employees) that I have added those users to.

Im lost on how to add this to an exsisting realm.

Currently we have a VPN users group with everyone in it and assing a role and NO time constraints

freed96 · ‎02-25-2022

I made a custom expression with the group and the hours,

If matches the "during hours" expression then they get the role assigned . If matches "after hours" expression they get no role assigned.

e.g.: groups = ('VPN_Exemptusers') AND loginTime != (7:00AM to 7:00PM)

Keep in mind this doesn't dsconnect users who were active from before.

pspecht · ‎02-28-2022

freed96,

I created another realm (just copied my exsisting) sO I can test. Same LDAP settings

In Role Mapping I created two rules

matches expression "VPN Allow Login Window"
XPRession: groups="Test VPN Users" AND loginTime = (6:00AM TO 9:00PM):

assign these roles - Users Role

matches expression "VPN Not Allow Login Window"
XPRession: groups="Test VPN Users" AND loginTime != (6:00AM TO 9:00PM)

Assing no role

When I test my user account after being moved from the VPN allowed users security group to the Test VPN Users group the logs show

"Login failed. Reason: No Roles"

What am I missing?

zanyterp · ‎03-18-2022

@pspecht: is that during the allowed login time (unexpected behavior) or during the restricted login time (expected behavior)? would using a combined expression work?
what does your policy trace show?