Restrict Remote VPN to a specific AD Group with NCC

Options
LESPIAUC_Info_40
LESPIAUC_Info_40 Posts: 3  Freshman Member
First Comment First Anniversary
in Nebula

Hi,

I try to restrict Remote VPN to a specific AD group but I can't do it.

Here is screenshots of my configuration :

Capture d'écran 2025-05-28 162531.png Capture d'écran 2025-05-28 162547.png Capture d'écran 2025-05-28 162558.png

Do I've made a mistake ?

Thks

All Replies

  • LESPIAUC_Info_40
    LESPIAUC_Info_40 Posts: 3  Freshman Member
    First Comment First Anniversary

    Any ideas ?

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @LESPIAUC_Info_40,

    I did a local lab with your security policy. Based on these security policies, the VPN connection will always hit the deny rule, since the VPN user information hasn't learned on firewall.

    For workaround, we can set some rules to block VPN traffic for non-VPN group users. Below is the example:

    image.png

    For your original purpose, I'm checking with our engineer. I will update you once I get an update.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 3,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Update:

    There is a workaround for this requirement:

    1. Create an user that can only access specific OU, like OU = vpnuser. Other privileges like cn=users, please remove them.
    2. Use this user to setup "authentication service > My AD server".
    3. Use this authentication method for the remote access VPN, this allows to authenticate the AD user that in specific OU.
    Zyxel Melen


Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)