cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi,

Question: Is it possible to make access through ShrewSoft VPN client based on firewall (or external) user or groups?

I've tried conf like this, but doesn't work.

1. X-Auth config based on local firewall admin:

2013-11-06_16h34_54.png

2. Connection using those local firewall user. Connection OK:

2013-11-06_16h37_32.png

3. VPN Remote Access Policy based on user "testowy2":

2013-11-06_16h40_09.png

This doesn't work.

When I remove "testowy2" from below policy, communication working OK.

Question once again:  How I can make VPN policy based on user /group?

Do you have any ideas?

Best regards

Krzysztof

3 Replies
Level 10
Report Inappropriate Content
Message 2 of 4

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hello Krzysztof,

i think you have to do it with IP.

But if  you are using a Client Address Pool in your VPN SA Configuration, then you can do Fixed IP Mappings based on the Username which allows you to

do different rules for different IP's/Users.

regards

Seeb

Highlighted

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi

another way is using certificates and doing by a user role

Regards

Highlighted

Re: Firewall Enterprise 8.x and ShrewSoft Client per username ACL

Hi, what you're asking for it can be done. If you want to use an external authetication scheme you have to use Active authentication, then define external groups that have to match with group ID in your Active Directory for example. Once a user brings up the tunnel he must authenticate against the firewall by open a browser page to the URL: https://<firewall internal IP address>:8111/login.html. The firewall will check credentials and group ID with the AD server and if they're OK the web page will turn to green with a "Successful Login" message. Then the user will be granted with an access according to the policy you configured in the rule for RDP service.

You don't have to confuse the VPN tunnel and authetication configuration with the configuration described above. They're two completely different configurations.

I hope this helps

Regards.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community