Client VPN Authorization Rules

0

I have clients setup with mutual authentication and looking to setup some authorization rules but hitting an issue where the authorization rules don't seem to work for anything smaller than /16 subnet.

For example I have the following setup

Networks
VPC Network - 10.1.0.0/16

Client A - Member of AD Group A
Client B - Member of AD Group B

AD Group A has authorization rule to allow access to 10.1.1.0/24
AD Group B has authorization rule to allow access to 10.1.0.0/16

Route Table has route to 10.1.0.0/16

Client A and B are both able to connect successfully

Client B can ping 10.1.1.1 but Client A cannot

If I change the authorization rule for AD Group A to match AD Group B the ping works.

Seems like I am missing something or there is an issue with the authorization interpretation of smaller subnets.

Edited by: Hockercs on Feb 15, 2019 9:25 AM

chocker
已提問 5 年前檢視次數 185 次
1 個回答
0

The authorization rule order is significant and once a network match is found it stops processing additional rules.

So authorization rule for 10.1.1.0/24 must appear higher in the list than 10.1.0.0/16.

Also for Client B that should have access to the entire 10.1.0.0/16 subnet those users will need to be members of both AD Group A and AD Group B in order for them to get access to 10.1.1.0/24 and the rest of the /16 subnet.

chocker
已回答 5 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南