I created 4 test users on my domain and added two of them into a group called vpnusers. I did not manually add any of those users to the dynamic vpn configuration on my srx, instead I just added user-groups vpnusers instead. To my surprise I was actually able to log in. The problem now is that all users on the domain can log in with dynamic vpn even though I only specifically wanted users that are member of vpnusers group.
Here's my configuration for the dynamic vpn:
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access profile dyn-vpn-access-profile authentication-order ldap
set access profile dyn-vpn-access-profile ldap-options base-distinguished-name CN=Users,DC=testlab123,DC=com
set access profile dyn-vpn-access-profile ldap-options search search-filter sAMAccountName=
set access profile dyn-vpn-access-profile ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=testlab123,DC=com
set access profile dyn-vpn-access-profile ldap-options search admin-search password password123$
set access profile dyn-vpn-access-profile ldap-server 192.168.1.28 port 389
set access firewall-authentication pass-through default-profile dyn-vpn-access-profile
set access profile dyn-vpn-access-profile session-options client-group vpnusers
set security dynamic-vpn clients all user-group vpnusers
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all remote-protected-resources 192.168.1.0/24
How can I get dynamic vpn to only accept ldap users in a specific group?
Thanks!