This article describes how to lock down access to Access Gateway Enterprise Edition SSL VPN by Active Directory User Groups.
Complete the following procedures:
Complete the following steps:
Go to Access Gateway > Policies > Authentication > Servers > Add.
Type a Name for the Server.
Choose the Authentication Type as LDAP.
Type the values for Server IP Address and Port.
Standard LDAP 389
Secure LDAP port 636
Or a custom port
Type the values for the following fields in the Create Authentication Server screen:
Using CLI
Issue the following command:
add authentication ldapAction Test-AD -serverIP 10.10.10.10 -ldapBase "DC=domain,DC=com" -ldapBindDn Administrator@domain.com -ldapBindDnPassword fd2604527edf73 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN
Using GUI
Complete the following steps:
Go to Access Gateway > Policies > Authentication > Policies > Add.
Type a Name for the policy.
Choose the Authentication Type as LDAP.
Select the server created in the previous step.
Select Name Expressions as General and True Value.
Using CLI
Issue the following command:
add authentication ldapPolicy Test-AD-policy ns_true Test-AD
Using GUI
Complete the following steps:
Go to Access Gateway > Policies > Session > Profiles > Add.
Click the Security tab.
Multiple groups can be added and separated using commas ( , ).
Using CLI
Issue the following command:
add vpn sessionAction Test-AD-SessProf -SSO ON -ssoCredential PRIMARY -allowedLo
ginGroups TestADGroup
Using GUI
Complete the following steps:
Go to Access Gateway > Virtual Servers > Add.
Click Authentication tab.
Select Enable Authentication.
Click Insert Policy and select the authentication policy created in the preceding step.
Go to Policies tab and click Session.
Click Insert Policy and select the session policy created in the preceding step.
Click Create to create the Virtual Server.
Using CLI
Issue the following command:
add vpn vserver TestAD-AG-vserver SSL 10.10.10.11 443 bind vpn vserver TestAD-AG-vserver -policy Test-AD-SessPol -priority 100 bind vpn vserver TestAD-AG-vserver -policy Test-AD-policy -priority 100
The following is a screen shot of the error message received when a user who is not a member of the AD Group tried to log on to the Access Gateway.