Client VPN Authorization Rules

0

I have clients setup with mutual authentication and looking to setup some authorization rules but hitting an issue where the authorization rules don't seem to work for anything smaller than /16 subnet.

For example I have the following setup

Networks
VPC Network - 10.1.0.0/16

Client A - Member of AD Group A
Client B - Member of AD Group B

AD Group A has authorization rule to allow access to 10.1.1.0/24
AD Group B has authorization rule to allow access to 10.1.0.0/16

Route Table has route to 10.1.0.0/16

Client A and B are both able to connect successfully

Client B can ping 10.1.1.1 but Client A cannot

If I change the authorization rule for AD Group A to match AD Group B the ping works.

Seems like I am missing something or there is an issue with the authorization interpretation of smaller subnets.

Edited by: Hockercs on Feb 15, 2019 9:25 AM

chocker
질문됨 5년 전185회 조회
1개 답변
0

The authorization rule order is significant and once a network match is found it stops processing additional rules.

So authorization rule for 10.1.1.0/24 must appear higher in the list than 10.1.0.0/16.

Also for Client B that should have access to the entire 10.1.0.0/16 subnet those users will need to be members of both AD Group A and AD Group B in order for them to get access to 10.1.1.0/24 and the rest of the /16 subnet.

chocker
답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠