SSL VPN Access
pja6161
Newbie ✭
To all, I am trying to restrict specific users to ONLY access specific subnets when the VPN in while others that are part of the same group need to have all access. My client SSLVPN has the 3 available subnets listed, My group VPN under users has all available networks available to the users that are part of the group and my test user ONLY has 1 subnet assigned. However this test user when logging in has access to all 3 subnets.
Best Answer
-
CORRECT ANSWER
Pocho
Newbie ✭
As far as I know privileges are inherited so if the group has access to all the users belonging to the group would all have access to what the group says on top of whatever the user itself has, so I think the users that need all access need a separate group that the test user does not belong to, then you would assigned all privileges on the new group and the test user separately leaving the original group without any privileges. I think it would be something like SSLVPN Services (no privileges on the VPN tab), having the new group (privileges to all) as a member and the test user (limited access) as a member as well
0
Answers
Thanks Pocho. I will try what you suggested. I would think this would work in the opposite direction where users of the group get the group access and then restricting more to a specific user but I will see what happens.
Thanks
I confirmed that permissions work from the bottom up not top down.
I restricted the group and gave the test user more access.
This resolved the issue.
Sorry to return to this chat.
I created a separate group and restricted the test user to 2 subnets and 1 host. The host is part of a 10.254.x.x/24 subnet. However this test user has access to other devices within that subnet. Not working as expected
mmm that is strange, I just tested it really quick on a TZ 670 running the latest firmware and it works. On my case I have the SSLVPN with routes to the X0 and X7 subnets for the client routes under NETWORK > SSLVPN > Client Settings > Default Device Profile > Client Routes. Then the Test User is part of the SSLVPN services group which has X7 and X0 subnet under the VPN tab, and the user itself has a single IP from the X0 subnet and the X7 subnet for the VPN Access tab. With this I can reach everything on the X7 subnets and only the 1 IP on the X0 subnet when i connect with the SSLVPN.
Maybe you are pulling a privilege from somewhere else, When you connect if you go to NETWORK > USERS > Status > then mouse over the user groups for the test user, check all the groups that it shows and then compared the VPN access tab on each one of them to see if something is giving it more access that it should
This is strange. the test user is part of a group I pulled them out of and in the new group. When I check the group that I pulled it our of and look at members the test user is not in the group yet when I mouse over as you mentioned they show in the group. I am rebooting the FW to see what happens.
Ok, this is how I got it to work and why it did not work as expected.
Why it did not work.
Getting it to work.
In order to get this to work originally I followed kb
https://www.sonicwall.com/support/knowledge-base/ssl-vpn-client-is-connected-and-authenticated-but-can-t-access-internal-lan-resources/170503557761052
Which resolved my original issue but I needed to restrict more based on user access.
I appreciate all the input but I think I am all set for now.