I have setup authentication using LDAP and it is working fine.
I am trying to restrict only users that are member of a particular Security group (VPN Users) to be able to VPN in.
I have created an LDAP attribute map (vpnmap) that checks if the user is a member of the required Security Group and if correct assigns a group policy (XXXvpntunnel) to it.
However, if a user is not a member of the group, the ldap attribute map does not assign the above group policy to it, but the user can still VPN in and when I do a check of the group policy being used via sh vpn-sessiondb detail remote, it shows me the same group policy XXXvpntunnel being used.
I have created another group policy called XXXvpntunneldeny with ipsec sessions set to 0, but how do I assign this group profile to users who are not a memberOf VPN Users, so that they cannot VPN in?
I have also tested by adding SamAccountname in the attribute map and value "Administrator" and group-policy "xxxvpntunneldeny" and it stops Administrator from getting in via VPN, but I want to be able to use a wildcard to prevent all users not in the Security Group VPN Users from connecting via VPN.
Any suggestions on the best way to restrict users not part of the VPN Users group in AD from being able to VPN in?
change the default group-policy to vpn-simultaneous-logins 0
apply a specific vpn-simultaneous-logins to the new group-policy.
group-policy DfltGrpPolicy attributes
group-policy POLICY attributes
i was able to get this working.
forget about mapping to the dialin permissions. not needed here.
if someone doesn't get mapped to one of your manually created group-policies, only the default group policy applies, and they can't log in.