Hello - I'm trying to figure out how to export Active Directory group membership info from an IVE to a UAC via IF-MAP.
We have external users who login in to the network on an IVE via sslvpn. They login in to the sslvpn with AD credentials. The users are members of various groups within the domain. When the user logs in the AD server will supply the group membership info to the IVE. I'd like to export that group membership info to a UAC which is federated with the IVE. With that exported session info we would then map users to roles based on their AD group membership. From there we'd create resource access policies based on the roles to be pushed to Enforcers.
I'm having some difficulty in finding documentation on this. Has anyone done this type of setup? Is there an easier way to go about this? Any help is greatly appreciated.
Rather than export their AD group membership, export their roles. Have identical roles on the IC. When they are imported into the IC they will be given the same roles as on the SA.
Remeber that your enforcers need to be configured to provision the auth table "as required" to support IF-MAP.
JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC
Thanks for the feedback, Sam.
I guess my only concern with mapping AD group to user role on the IVE is that now we will need to do the role mappings twice. Once on the IVE and then again on the UAC. So now, when there is a need to change role mappings in the future, we'll have to do it twice - on the UAC and the IVE.
It seems it would be easier to have all role mapping done on the UAC only. Or am I missing something?
There is that, or what I do is have a group in AD for each of the roles, and the role mapping rules just map one group to one role.
If a user needs to change roles they just get moved in AD.
This has the added advantage for me that our first line support guys can make such modifications without touching the SA or IC.
This is interesting. Juniper's JTAC is telling me that AD group membership info cannot be exported via IF-MAP. I hope this is incorrect.
How exactly would I export that session info? Would I do this with 'IF-MAP Identity'?
In case anyone is interested. JTAC is correct, you cannot export AD group member info via IF-MAP. Kind of disappointing as that functionality would have simplified our design immensely.