This article describes how to lock down access to Access Gateway Enterprise Edition SSL VPN by Active Directory User Groups.

Requirements

• Enable Smart Access mode on the Access Gateway Virtual server; the appliance should have an Access Gateway universal license.
• GUI access to Access Gateway Enterprise Edition.
• Microsoft Active Directory Users and Computers MMC.
• Knowledge of Active Directory.

Instructions

Complete the following procedures:

• Create Authentication Server

• Create Authentication Profile

• Create Session Profile

Create Authentication Server

Complete the following steps:

1. Go to Access Gateway > Policies > Authentication > Servers > Add.
   

2. Type a Name for the Server.

3. Choose the Authentication Type as LDAP.

4. Type the values for Server IP Address and Port.

   Standard LDAP 389
   Secure LDAP port 636
   Or a custom port 

5. Type the values for the following fields in the Create Authentication Server screen:

   • Base DN
   • Administrator DN using the full UPN
   • Administrator Password
   • Confirm Administrator Password
   • Server Logon Name Attribute as sAMAccountName
   • Group Attribute as memberOf
   • Sub Attribute Name as CN
6. Select Security Type as Plaintext, TLS or SSL.

Using CLI

Issue the following command:

add authentication ldapAction Test-AD -serverIP 10.10.10.10 -ldapBase "DC=domain,DC=com" -ldapBindDn Administrator@domain.com -ldapBindDnPassword fd2604527edf73 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN

Create Authentication Profile

Using GUI

Complete the following steps:

1. Go to Access Gateway > Policies > Authentication > Policies > Add.
   

2. Type a Name for the policy.

3. Choose the Authentication Type as LDAP.

4. Select the server created in the previous step.

5. Select Name Expressions as General and True Value.

Using CLI

Issue the following command:

add authentication ldapPolicy Test-AD-policy ns_true Test-AD

Create Session Profile

Using GUI

Complete the following steps:

1. Go to Access Gateway > Policies > Session > Profiles > Add.
   

2.  Click the Security tab.
   

   Multiple groups can be added and separated using commas ( , ).
   

Using CLI

Issue the following command:

add vpn sessionAction Test-AD-SessProf -SSO ON -ssoCredential PRIMARY -allowedLo
ginGroups TestADGroup

Create Access Gateway Virtual Server or bind Session and Authentication Profile to a Virtual Server

Using GUI

Complete the following steps:

1. Go to Access Gateway > Virtual Servers > Add.

2. Click Authentication tab.

3. Select Enable Authentication.

4. Click Insert Policy and select the authentication policy created in the preceding step.
   

5. Go to Policies tab and click Session.

6. Click Insert Policy and select the session policy created in the preceding step.

7. Click Create to create the Virtual Server.
   

Using CLI

Issue the following command:

add vpn vserver TestAD-AG-vserver SSL 10.10.10.11 443 bind vpn vserver TestAD-AG-vserver -policy Test-AD-SessPol -priority 100 bind vpn vserver TestAD-AG-vserver -policy Test-AD-policy -priority 100

The following is a screen shot of the error message received when a user who is not a member of the AD Group tried to log on to the Access Gateway.