Hi
We have setup AD authentication on our XG and imported a "VPN Users" AD group on to our XG. The VPN Users group is assigned to the SSLVPN.
If a user authenticates via the SSLVPN 2.1 client, a user is created in the "VPN Users" group on the firewall, config downloads, VPN works OK.
If however a user is not in the AD group and attempts to VPN in, the user is created in the default open group and the VPN fails to connect.
We expect the VPN to fail to connect, but is there a way to prevent the user being created on the firewall in the first place.
i.e. we only want users created on the firewall if they are member of the AD VPN users group that was imported
Otherwise we then have to login to the the firewall and delete the user, and then VPN back in for it to create the user in the correct group.
or manually move the user to the XG "VPN Users" group (but then it also hangs on to "other groups" and shows the Open Group listed).
We also dont want a malicious actor to password spray the Sophos user portal against all AD Users accounts - which currently would seem possible. Surely there is a way to limit authentication in to the user portal to JUST the imported AD VPN Users group?
Is this possibly done with the AD search string somehow? Currently we allow it to search the "company users" OU in AD which contains all users.
Thanks
Dan
This thread was automatically locked due to age.
