The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
External User groups are not matched correctly when connecting to SNX Portal
| Solution ID |
sk110014 |
| Product |
Mobile Access / SSL VPN |
| Version |
R77.30 |
| Platform / Model |
All |
| Date Created |
08-Feb-2016
|
| Last Modified |
20-Nov-2018
|
Symptoms
External User groups are not matched correctly when connecting to SNX Portal - users get permissions to access resources, which they are not supposed to access.
Debug of VPND daemon (per sk89940) shows that the involved user is matched to Generic profile:
[ PID][Date Time][AU] au_fetchuser_callback(o=0x... user=0x0): start ldap_err=0
[ PID][Date Time][AU] au_fetch_generic_profile: checking GUP NameofInvolvedProfile-profile for InvolvedUserName
[ PID][Date Time][AU] au_fetch_generic_profile: checking GUP generic* for InvolvedUserName
[ PID][Date Time][AU] au_fetchuser_callback(o=0x...): GUP found (InvolvedUserName)
[ PID][Date Time][AU] au_fetchuser_callback(o=0x...): user obj: (InvolvedUserName
:AdminInfo (
:chkpf_uid ("{...}")
:ClassName (user)
:table (users)
:LastModified (
:Time ("...")
(-1)
)
:destinations (
: (Any)
)
:groups (
: (NameofGenericProfile
:type (usrgroup)
Connection to Mobile Access Portal with the same External User works correctly (user is matched to the correct profile).
Cause
The VPND daemon does not take into account the Domain Name, and matches the user to the <em>Generic*</em> profile.
Solution
|
Note: To view this solution you need to
Sign In
.
|
