The [whitelist source=user_list] section allows whitelisting users based on a User List policy configured in SPS (Policies > User Lists). To enable this whitelist, configure one of the use cases below.
|
NOTE:
The user names are compared to the User List in a case-sensitive manner. |
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.
Type: | string |
Required: | no |
Default: | N/A |
Description: The name of a User List policy containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users (for example, to create break-glass access for specific users).
To allow specific users to connect without providing
To enforce
The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.
|
NOTE:
The user names and groups are compared in LDAP in a case-insensitive manner. |
[whitelist source=ldap_server_group] allow=<no_user-or-all_users> except=<group-1>,<group-2>
Type: | string (all_users | no_users) |
Required: | no |
Default: | N/A |
Description: This parameter defines whether to allow all users or no user to connect without providing
Type: | string |
Required: | no |
Default: | N/A |
Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.
To allow members of specific LDAP/AD group(s) to connect without providing
[whitelist source=ldap_server_group] allow=<no_user> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
To enforce
[whitelist source=ldap_server_group] allow=<all_users> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
By default, SPS assumes that the RADIUS server username of the user is the same as the gateway username (that is, the username the user used to authenticate on SPS during the gateway authentication). To identify the users, SPS uses the username (login) field in RADIUS server, which is an email address.
If the gateway usernames are different from the RADIUS server usernames, you must configure the SPS RADIUS plugin to map the gateway usernames to the RADIUS server usernames. You can use the following methods:
Explicit mapping: [usermapping source=explicit]
LDAP server mapping: [usermapping source=ldap]
To look up the
If the
If you configure both the append_domain parameter in the [username_transform] section and the [usermapping source=ldap_server] section of the SPS
The Explicit method has priority over the LDAP server method.
If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the RADIUS username of the user is the same as the gateway username.
To map the gateway user name to an external
Type: | string |
Required: | no |
Default: | N/A |
Description: To map the gateway user name to an external
Type the gateway user name instead of <example-user-1>.
Type the external
|
NOTE:
Use this option only if there are not only a few users, or for testing purposes. If there are too many users, it can cause performance issues. |
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center