Example: authenticating VPN client users
This scenario shows an example of restricting VPN access so that only specific users can access the secure network.
Company A’s employees include several consultants who frequently work at customer locations, but also remotely access Company A’s secure network. All users are stored in the Management Server’s internal directory, and there is a separate User Group called Consultants for accounts belonging to the consultants. The administrators have set up a mobile VPN for remote access. They want to allow all users to establish a SD-WAN tunnel to the office, but allow only users in the Consultants group to access the secure network.
The administrators:
- Create a rule that establishes a SD-WAN tunnel and allows users in the Consultants group to access the Secure Network after
successful authentication:
Source Destination Service Action Authentication DHCP address range for VPN clients Internal Networks
Secure Network HTTP SSH
FTP
Enforce SD-WAN Consultants User Group User Password Authentication
- This rule allows any users in any directory that is defined in the SMC to authenticate to a VPN client if their allowed authentication methods include User Password.
- This rule allows any user whose account is stored in the internal directory to use a VPN client to establish a SD-WAN tunnel to the office.
- Create a rule to allow users who have established SD-WAN tunnels to access the company’s internal networks from the DHCP-assigned IP
addresses for VPN clients:
Source Destination Service Action Authentication DHCP address range for VPN clients Internal Networks ANY Allow - Transfer the policy to the engine.