SSLVPN: need confirmation on LDAP functionality
Good morning, all. Currently using NSA2650 devices with latest firmware. SSLVPN lash-up is working as expected using our AD infrastructure for authentication; MFA is function for those users.
My question is this: given that the default setup in Users & Groups is setup with "All LDAP users" as an approved group, does this mean, BY DEFAULT, that all users anywhere in the AD OU structure, can use LDAP? We have MFA setup and functioning for users within a couple OUs of our definition, however, any other user can connect to the Sonicwall WITHOUT needing MFA. We do NOT want to just drop the other users in the MFA OUs because that would be a security risk, but we need to stop them from being able to connect to the Sonicwall.
Does this NECESSARILY mean we must import ALL AD USERS into the firewall as local users, then setup a group of permitted SSLVPN users? We really would like to be able to say ONLY THESE USERS may connect with MFA, but without importing all users as local users regularly as our user base changes.
No, the KB articles on this are not clear.