Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

User member of multiple AD Groups - why not working for MFA / 2FA?

We have AD synced Groups. We use them for FW Rule permissions, SSL VPN access and MFA control on the Firewall.

Now we have this scenario:

User XY is member of these groups:

Group A  (used for a firewall rule)
Group B  (all members of the company, used for MFA assignment)
Group C  (some members of the company, used for SSL VPN profile)

The firewall thinks, Group A is the primary group.

In MFA we use GroupB to define all users must use 2FA.

In SSL VPN Profile we use GroupC. This works.

Unfortunately MFA is not working as expected because the firewall is not offering the QR Code to the user.

This would only work, if we add GroupA to MFA Users. But this sounds false to me.

Also I don't want to add the individual user to the MFA setting which would also work.

How can we assure, the MFA engine accepts all potential groups of a user?



Added TAGs
[edited by: Raphael Alganes at 2:08 PM (GMT -8) on 5 Nov 2024]
Parents
  • Today after re-ordering the AD groups on SFOS we noticed the groups of Administrators of Hotspot did no longer have access to the Hotspots in their user portal.

    It is really a pain that SFOS actually IS aware of multiple group memberships of a user but is unable to use them for many of it's facilities like MFA or here Hotspot.

    This is totally against the logic of using groups.

    We have AD groups that allow some users access to some FW destinations only when they are member of Group A

    There is no need for that Group A to have MFA or Hotspot or SSL VPN.

    On the other hand, we have Group B that has Admin permissions in a Hotspot. It's members do not belong to Group A.

    Group C allows some users for SSL VPN. Of course SSL VPN Users require MFA. When we add Group C to MFA users, we need to be sure, that Group C is the primary Group for the user so SFOS can handle the MFA facility. Group C should not have Hotspot Admin permissions, but some users of Group C do.

    and so on.

    Now we need to add single users as Hotspot admins, single users to MFA or other facilities like SSL VPN.

    You cannot do it right way.

    We wouldn't have any issues when SFOS would finally be capable of using all of the User's Group memberships EVERYWHERE!

  • I feed you. The incomplete implementation of multiple AD Groups is kind of PITA!

Reply Children
No Data