ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

VPN xauth users and ACL's

‎04-16-2009 09:46 AM


I was wondering if it's possible to create a xauth user profile that gives:

  1. an ip address (from a certain pool);
  2. binds that user to a specific policy (to prevent him from accessing some resources in the LAN).

I've done this with IOS using local authentication, but I don't see how I can do this in an SSG 20 or 140.


Any ideas?



ScreenOS Firewalls (NOT SRX)

Re: VPN xauth users and ACL's

‎04-16-2009 07:44 PM



You can use XAuth to auth users and provide specific IP assignments (via IP/NAT Pool), but the policy is unique to the VPN and not a user.  You can restrict resources in the Policy, but the Netscreen Remote software has classful limitiations and is unable to permit/deny multiple subnets.  I would recommend using a Route Based VPN and then adding policy as needed (i.e. VPN Trust Permit).  If you have users with different needs, you can assign them an IP instead of using an IP from the pool.  This would allow you to leverage policies as needed.  Does this help?



John Judge

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.