External User groups are not matched correctly when connecting to SNX Portal

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk110014
Technical Level
Product	Mobile Access / SSL VPN
Version	R77.30 (EOL)
Platform / Model	All
Date Created	08-Feb-2016
Last Modified	20-Nov-2018

Symptoms

External User groups are not matched correctly when connecting to SNX Portal - users get permissions to access resources, which they are not supposed to access.

Debug of VPND daemon (per sk89940) shows that the involved user is matched to Generic profile:

[ PID][Date Time][AU] au_fetchuser_callback(o=0x... user=0x0): start ldap_err=0
[ PID][Date Time][AU] au_fetch_generic_profile: checking GUP NameofInvolvedProfile-profile for InvolvedUserName
[ PID][Date Time][AU] au_fetch_generic_profile: checking GUP generic* for InvolvedUserName
[ PID][Date Time][AU] au_fetchuser_callback(o=0x...): GUP found (InvolvedUserName)
[ PID][Date Time][AU] au_fetchuser_callback(o=0x...): user obj: (InvolvedUserName
  :AdminInfo (
    :chkpf_uid ("{...}")
    :ClassName (user)
    :table (users)
    :LastModified (
      :Time ("...")
    (-1)
  )
  :destinations (
    : (Any)
  )
  :groups (
    : (NameofGenericProfile
      :type (usrgroup)

Connection to Mobile Access Portal with the same External User works correctly (user is matched to the correct profile).

Cause

The VPND daemon does not take into account the Domain Name, and matches the user to the <em>Generic*</em> profile.

Solution

Note: To view this solution you need to Sign In .