Question: Is it possible to make access through ShrewSoft VPN client based on firewall (or external) user or groups?
I've tried conf like this, but doesn't work.
1. X-Auth config based on local firewall admin:
2. Connection using those local firewall user. Connection OK:
3. VPN Remote Access Policy based on user "testowy2":
This doesn't work.
When I remove "testowy2" from below policy, communication working OK.
Question once again: How I can make VPN policy based on user /group?
Do you have any ideas?
i think you have to do it with IP.
But if you are using a Client Address Pool in your VPN SA Configuration, then you can do Fixed IP Mappings based on the Username which allows you to
do different rules for different IP's/Users.
another way is using certificates and doing by a user role
Hi, what you're asking for it can be done. If you want to use an external authetication scheme you have to use Active authentication, then define external groups that have to match with group ID in your Active Directory for example. Once a user brings up the tunnel he must authenticate against the firewall by open a browser page to the URL: https://<firewall internal IP address>:8111/login.html. The firewall will check credentials and group ID with the AD server and if they're OK the web page will turn to green with a "Successful Login" message. Then the user will be granted with an access according to the policy you configured in the rule for RDP service.
You don't have to confuse the VPN tunnel and authetication configuration with the configuration described above. They're two completely different configurations.
I hope this helps