Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 11236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I lock down the User Portal to a specific AD Group?

JohnDoe2

I am manually migrating from UTM 9.X to XG and I am really enjoying this however I can't seem to find where I can lock down the User Portal logins to a particular group in my active directory.


I found where I can control which adapters the user portal is available on (LAN versus WAN) but this seems to evade me :(



This thread was automatically locked due to age.
Parents
  • 0
    You can do this by modifying the "Search Queries" in the Authentication Server configuration, many engineers use a generic top level search query which will authenticate anyone in the active directory tree. (for example "dc=domain,dc=local")
    This makes initial deployment easy as it can often be difficult in some networks to determine the most effective way to limit it further.

    If you narrow the search query further you can limit user authentication to specific sections of your active directory tree or even down as far as a group. Care needs to be taken though as this narrows the authentication for all users of the authentication server (even SSO users, which might be authenticating via STAS or SATC)

    Don't forget even if you don't limit the authentication event it's self you can still limit access to resources such as the internet via a User rule in your policy base. This can be easier in that you authenticate absolutely all users and then only provide internet access to the chosen group.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Reply
  • 0
    You can do this by modifying the "Search Queries" in the Authentication Server configuration, many engineers use a generic top level search query which will authenticate anyone in the active directory tree. (for example "dc=domain,dc=local")
    This makes initial deployment easy as it can often be difficult in some networks to determine the most effective way to limit it further.

    If you narrow the search query further you can limit user authentication to specific sections of your active directory tree or even down as far as a group. Care needs to be taken though as this narrows the authentication for all users of the authentication server (even SSO users, which might be authenticating via STAS or SATC)

    Don't forget even if you don't limit the authentication event it's self you can still limit access to resources such as the internet via a User rule in your policy base. This can be easier in that you authenticate absolutely all users and then only provide internet access to the chosen group.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Children
No Data
Unfiltered HTML