SSLVPN: need confirmation on LDAP functionality
Good morning, all. Currently using NSA2650 devices with latest firmware. SSLVPN lash-up is working as expected using our AD infrastructure for authentication; MFA is function for those users.
My question is this: given that the default setup in Users & Groups is setup with "All LDAP users" as an approved group, does this mean, BY DEFAULT, that all users anywhere in the AD OU structure, can use LDAP? We have MFA setup and functioning for users within a couple OUs of our definition, however, any other user can connect to the Sonicwall WITHOUT needing MFA. We do NOT want to just drop the other users in the MFA OUs because that would be a security risk, but we need to stop them from being able to connect to the Sonicwall.
Does this NECESSARILY mean we must import ALL AD USERS into the firewall as local users, then setup a group of permitted SSLVPN users? We really would like to be able to say ONLY THESE USERS may connect with MFA, but without importing all users as local users regularly as our user base changes.
No, the KB articles on this are not clear.
@SteveBottoms create a group in the AD and assign the Users as members which you like to grant VPN access to.
Import this AD group (which is only a reference) into the NSa and add it as Member to the SSLVPN Services Group, et voila.
Michael, thanks for responding!
First, the current "SSLVPN Services" group contains the user group "All LDAP Users" already, and can't be removed, so I assume you're suggesting creating a NEW group into which the imported AD users group should be added to, and they assign that new group to the Users | Settings | Authentication | Users & Groups dialog under "Default LDAP Users Group", correct?
Second, the dialog to "Import User Groups" does not permit specific group targeting, so what's going to be imported? Everything? Only the USERS OU groups? If everything, I assume I'll need to clean up the 99% of user groups that were imported that don't need to be?
To answer the questions posed: "given that the default setup in Users & Groups is setup with "All LDAP users" as an approved group, does this mean, BY DEFAULT, that all users anywhere in the AD OU structure, can use LDAP?" Yes. LDAP is simply for authentication / accounting.
"Does this NECESSARILY mean we must import ALL AD USERS into the firewall as local users, then setup a group of permitted SSLVPN users?" No, you do not need to import all AD users into the firewall.
In Resolution for SonicOS 7.X Step 3 (Add Server Directory settings) of the above article you can specify an OU that contains only the user accounts that you want SSLVPN access. This is how I used to do it and it wasn't right. It worked for SSLVPN but things like SSO wouldn't work for all accounts on the domain (the authentication \ accounting part).
The way BWC described, and the above article, is mostly how I do it now. I set the "default LDAP user group" to "everyone" and mirror the LDAP user groups locally with a 10 minute refresh period. Then the appropriate user group is added to SSLVPN Services built-in group.
Hope that helps.