Rejected Connection Message
Hi there, I'm in the process of setting up AuthPoint for Mobile SSL-VPN access. So far so good, but I was wondering if there was a way to change the message a user gets if they're trying to connect outside of the policy restrictions.
For example, I would like to create a policy that allows users to connect only during business hours. The policy works fine, but it would be nice if there were a way to tell the user they are unable to connect because of the restrictions we've configured. Right now the client just doesn't connect and asks if they want to try the previous config.
It would save some after hours headaches if they knew why it wouldn't let them connect vs just thinking it's not working. This may be less an AuthPoint thing, and more related to the VPN client software of course.
Any ideas would be appreciated.
thanks!
Best Answer
-
james.carson Moderator, WatchGuard Representative
Hi @actionmike
At this current point in time there's no way to do this, but it might be worth a feature request for the future.This type of thing may be possible for SAML, but for SSLVPN where there's no/not much of a way for AuthPoint to talk back (due to RADIUS being the protocol generally used to accomplish this) it may not be possible.
I'd suggest opening a case and requesting that as a feature.
Are you using the WatchGuard Mobile VPN w/SSL client, or something different?
-James Carson
WatchGuard Customer Support0
Answers
Thanks James, no problem. It was a bit of a long shot.
I'm testing with both the WatchGuard client and also the OpenVpn client. Both seem to work well so far. We've been using both currently with our "standard Active Directory" authentication for a few years now, but I'm leaning towards the WG client as it's easier to deploy remotely.
In my original post I mentioned that I was trying to allow users to connect only during business hours. I thought I had that working, but apparently it's not working how I want it to. I found the help for setting up the authentication policies a little vague, so maybe you can point me in the right direction?
What I tried was creating a policy that has "Authentication not allowed" with a time schedule applied that's active weekdays from 22:00 to 23:59 and 00:01 to 06:00. I then have a second policy that allows the same user group to authenticate, with the deny policy given priority. My understanding was that if the user tried to connect, and the time was outside the ranges set on the deny policy that AP would then skip to the allow policy.
Is that how it's supposed to work or is there something I'm missing?
thanks again, Mike.