This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

user based network security

Hi,

I would like to move to an astaro firewall from my current sonicwalls.
I need the ability to control network security policies on a per user basis (authenticated against the firewall).
We can do this on the sonic by loggining into the web portal.
While we can authenticate on the astaro (with webadmin or by being an AD account) the firewall does not seem to integrate this into the packet filter.

Am I missing anything here or is there a plan to support this capability?

Thanks

This thread was automatically locked due to age.

Parents

0 Ölm over 15 years ago

Bob, yes and no.
You are right, you can use that User network objects as well as group network objects in the "source" field of packetfilter rules. This is also what I have said in my post ("....which you can use in the pf rules  "source".").

However, the "user network objects" are ONLY filled in with ip adresses if the user authenticates via a VPN technologie - pptp, l2tp, ssl or ipsec - against the ASG.
The "authentication" of a user at the webadmin GUI, the user portal , the SOCKS proxy, the POP3 proxy  or the http/s proxy (SSO or basic auth), will NOT lead to the ASG associating the ip address of the users PC to the users network object.
Thsi means the "user network object" will be "empty" in these cases, thus the pf rule with the "user network object" will never match.

You can proof this very simple  by logging in the user portal of your ASG with a username/pw. Then go into Definitions- Networks, select the "user network object" of the user you just logged in - and you will still see the "unresolved" message.

BTW this is exactly what ninja already discovered :
"Having looked at the network definitions which contains the backend AD  group as well as the individual AD user accounts that have been  populated on the astaro each under IP shows "unresolved".
Is this expected or shouldn't I be able to view the IP associated with  the AD user?"

Indeed, it IS expected, it works as designed, however, it would be nice if it would work different ;-)
There are already feature requests in the feature.astaro.com portal describing this type of authentication. Feel free to vote for them.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Ölm over 15 years ago

Bob, yes and no.
You are right, you can use that User network objects as well as group network objects in the "source" field of packetfilter rules. This is also what I have said in my post ("....which you can use in the pf rules  "source".").

However, the "user network objects" are ONLY filled in with ip adresses if the user authenticates via a VPN technologie - pptp, l2tp, ssl or ipsec - against the ASG.
The "authentication" of a user at the webadmin GUI, the user portal , the SOCKS proxy, the POP3 proxy  or the http/s proxy (SSO or basic auth), will NOT lead to the ASG associating the ip address of the users PC to the users network object.
Thsi means the "user network object" will be "empty" in these cases, thus the pf rule with the "user network object" will never match.

You can proof this very simple  by logging in the user portal of your ASG with a username/pw. Then go into Definitions- Networks, select the "user network object" of the user you just logged in - and you will still see the "unresolved" message.

BTW this is exactly what ninja already discovered :
"Having looked at the network definitions which contains the backend AD  group as well as the individual AD user accounts that have been  populated on the astaro each under IP shows "unresolved".
Is this expected or shouldn't I be able to view the IP associated with  the AD user?"

Indeed, it IS expected, it works as designed, however, it would be nice if it would work different ;-)
There are already feature requests in the feature.astaro.com portal describing this type of authentication. Feel free to vote for them.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data