Jump to content

Always on VPN and authorization policies


Recommended Posts

Hi,

I have successfully gotten an AlwaysOn VPN machine tunnel to work properly, However i would like to limit the traffic and  cant seem to get any authorization policies to work properly. its always all or nothing.. If i set default authorization deny in my session policy bound to the gateway vserver, then specify authorization allow policies bound to AAA group for which the computer object is a member of this AAA group, can no longer access anything. if i turn session policy default back to allow, then full tunnel access works again... anyone have an idea why this is happening? i tried to different ways, throwing the sucessfull EPA scan into default authorization group called epa_pass, then binding policies to this group... then tried adding a next factor to the epa, to grab the ad groups of the computer object, then bing policy to the AAA group still cant get it to work the way i wanted. I have a case opened already but curious if anyone might have an idea.. We are on version 14.1, and using the secure access client on the endpoint.
the goal of this is for autopilot deployments, i only want the machine tunnel to have access to what is necessary for domain controller traffic to authenticate and cache first login post autopilot deployment..

in syslog i keep seing denied by policy SETTMSESSSPARAMS_POL which looks to be some built in policy.

Link to comment
Share on other sites

Posted (edited)
8 hours ago, CarlStalhood said:

Have you tried binding authorization policies directly to the Gateway Virtual Server?

Hi Carl

I can't seem to bind an Authorization policy on a Gateway vserver, only to a user or group.  The message i keep seing in syslog is below 
image.thumb.png.39ece83625afc8a12fe3cf24f12af71f.png

I went ahead and created the user in the syslog message to test, and still doesn't work, as if authorization policies are just simply ignored and not taken into account. I dont know if the authorization logic isn't even evaluated when it's a machine tunnel at this point, first time I play with the always-on vpn portion of the netscaler.

 

image.png

Edited by Sergio Masone1709161115
Link to comment
Share on other sites

Have you confirmed that the machine tunnel switches over to user tunnel? ... and once that's done, can you see the LDAP group extract in aaad.debug and the groups you have defined in AAA Groups? Just checking the basics to be sure.

Link to comment
Share on other sites

2 hours ago, Kari Ruissalo said:

Have you confirmed that the machine tunnel switches over to user tunnel? ... and once that's done, can you see the LDAP group extract in aaad.debug and the groups you have defined in AAA Groups? Just checking the basics to be sure.

I'm not using the user tunnel portion which looks to be optional. Just the machine tunnel, when the device boots up and the epa scan passes, I see the group extraction happen against the computer object just fine, just the authorization policies assigned to the group are not working or not being evaluated for machine tunnel it seems.

  • Confused 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...