cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi,

Question: Is it possible to make access through ShrewSoft VPN client based on firewall (or external) user or groups?

I've tried conf like this, but doesn't work.

1. X-Auth config based on local firewall admin:

2013-11-06_16h34_54.png

2. Connection using those local firewall user. Connection OK:

2013-11-06_16h37_32.png

3. VPN Remote Access Policy based on user "testowy2":

2013-11-06_16h40_09.png

This doesn't work.

When I remove "testowy2" from below policy, communication working OK.

Question once again:  How I can make VPN policy based on user /group?

Do you have any ideas?

Best regards

Krzysztof

3 Replies
seebvey
Level 10
Report Inappropriate Content
Message 2 of 4

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hello Krzysztof,

i think you have to do it with IP.

But if  you are using a Client Address Pool in your VPN SA Configuration, then you can do Fixed IP Mappings based on the Username which allows you to

do different rules for different IP's/Users.

regards

Seeb

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi

another way is using certificates and doing by a user role

Regards

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi, what you're asking for it can be done. If you want to use an external authetication scheme you have to use Active authentication, then define external groups that have to match with group ID in your Active Directory for example. Once a user brings up the tunnel he must authenticate against the firewall by open a browser page to the URL: https://<firewall internal IP address>:8111/login.html. The firewall will check credentials and group ID with the AD server and if they're OK the web page will turn to green with a "Successful Login" message. Then the user will be granted with an access according to the policy you configured in the rule for RDP service.

You don't have to confuse the VPN tunnel and authetication configuration with the configuration described above. They're two completely different configurations.

I hope this helps

Regards.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community