使用wuhao用户登录sslvpn,用户授权策略组为11,即对应context 111中的资源
#
local-user wuhao class network
password cipher $c$3$Hul4p6f7YCQRExHqGyyfUsWrbFcCvhM3yA==
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group 11
#
sslvpn context 111
gateway 11 domain test
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool pool mask 255.255.255.0
ip-tunnel web-resource auto-push
login-message chinese 欢迎来到安全组
login-message english Welcome to security-group
logo file logo111.jpg
webpage-customize system
ip-route-list rlist
include 20.0.0.0 255.255.255.0
url-item 防火墙
url https://77.78.79.1
sso method basic
sso basic custom-username-password enable
url-item 知网
url ***.***
url-list urllist
heading web
resources url-item 防火墙
resources url-item 知网
shortcut 1111
execution url('http://1.1.1.1')
policy-group 11
ip-tunnel access-route ip-route-list rlist
resources url-list urllist
certificate-authentication enable
authentication use any-one
service enable
#
sslvpn context 222
gateway 11 domain wuhao
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool pool mask 255.255.255.0
ip-tunnel web-resource auto-push
login-message chinese 欢迎来到安全组
login-message english Welcome to security-group
logo file logo111.jpg
webpage-customize system
ip-route-list rlist
include 10.0.0.0 255.255.255.0
url-item 防火墙
url https://77.78.79.2
sso method basic
sso basic custom-username-password enable
url-item 知网
url ***.***
url-list urllist
heading web
resources url-item 防火墙
resources url-item 知网
shortcut 1111
execution url('http://1.1.1.1')
policy-group 22
ip-tunnel access-route ip-route-list rlist
resources url-list urllist
default-policy-group 22
certificate-authentication enable
authentication use any-one
service enable
#
使用wuhao这个用户资源登录sslvpn context 222,inode中的域填写该实例中的域名wuhao,发现可以正常拨上去并且能访问222实例下的资源。
正常情况下wuhao这个用户只授权了context 111下的策略授权组11,没有下发context 222下的策略授权组22,是不可能登录上context 222的。
#
local-user wuhao class network
password cipher $c$3$Hul4p6f7YCQRExHqGyyfUsWrbFcCvhM3yA==
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group 11
#
进一步排查实例下的配置,发现context 222 实例下配置了缺省的策略组 default-policy-group 22,这个命令含义如下:
即用户即使没有授权,也可以登录上对应实例下的缺省资源组。
去掉这个命令后,可以实现不同的用户拨号访问对应的实例资源。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作