One of the easiest ways, in my opinion, to control VPN access is with DAP. Let’s dig into this with an example. We will be authenticating the user via LDAP and we have two different VPN groups; Forwards and Goalies. We’ll restrict the Goalies with an ACL while the Forwards can go anywhere.
First we create a policy for the Forwards.
We query LDAP and if the user is a member of the Forwards group, they get access. I set a customer User Message so when testing I know that it is working correctly. Next we create one for Goalies.
We’ve also added an ACL restricting their access. Next we need to prevent anyone else from logging in. The DAP are read top down and if a user does not fall into on the groups we’ve defined then they get the DfltAccessPolicy. We need to change it so it does not allow VPN connections. We do this by selecting the Terminate Action.
That’s it. So our DAP looks likes this-
The DAP’s are read from top down so make sure to properly adjust the ACL Priority.