Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.
The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.
I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).
With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.
At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.
Appreciated any suggestion/explanation...
Regards,
Dario