Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 5441 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Group in filter assignment doesn't work

pelumu
I test ASG 7 with authentication against W2003 AD server.

Joining the domain is ok.

When test the settings with user 'myname' I get
User authentication: Authentication test passed
User is a member of the following groups: Internet default access

In one filter assignment 'fa1' the group 'Internet default access' is used.

When I try to open an http connection with user 'myname' the filter assigment 'fa1' isn't used and the access is blocked.

When I extend 'fa1' with the user 'myname' additionally to the group 'Internet default access' ( where 'myname' is a member) and I try an http access again, user 'myname' has access.

Why doesn't it work when I use only the group in the filter assignment?

Peter


This thread was automatically locked due to age.
  • 0
    Peter, I'm confused.  I understand that it works if you have both 'myname' and the 'Internet default access' group.  Does it work either with just 'myname' alone or with 'Internet default access' alone?

    When you watch the Live Log, is 'myname' identifed as 'myname' or as an IP address?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    it works when I use 'Internet default access' group and user 'myname' or when I only use user 'myname'.
    It doesn't work when I use only the group 'Internet default access'.

    In the log I'm identified as 'myname'.

    Peter
  • 0 in reply to pelumu
    Peter, someone else here had the same problem - earlier this year, I think.  Try searching here - maybe on something like HTTP profile group.

    When you find the answer, please post it along with a link here.

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    The only thing I found:
    Don't use the group explorer for inserting AD groups.
    I did it, but thats not the solution on my machine.

    In the meantime I deleted all profiles and groups and started building it new, but that doesn't help too.

    Any other ideas?

    Thanks
    Peter
  • 0 in reply to pelumu
    You say V7 - exactly which version - V7.401?  If not, then don't bother with the following questions and just give us the version.

    What Base DN do you have set in AD Authentication?

    Try this experiment.  Put the same AD group into Prefetch.  [Open pre-fetch live log] and [Prefetch now].  Are the users in the desired group considered? 

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It's V7.401.

    My base DM is: DC=ba,DC=lokal

    Your suggested experiment I have already done.
    In the prefetch live log I see that all users and groups are prefetched and that the user-group-assignment is correct.

    Regards
    Peter
  • 0 in reply to pelumu
    It sounds like you've covered this pretty well.  It must be a mistake that you can't see because you know it's not there...

    Please show a picture of the Edit of your 'Internet default access' Astaro group.  Also, a pic of the 'Proxy Profiles' tab of 'Web Security >> HTTP/S Profiles'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to pelumu
    In the backend group definition, replace the group name with Internet-Standardzugriff only, eliminating all of the tags and the other AD qualifiers.  That was supposed to be fixed in 7.4, but I know it works with just the group name alone.

    MfG - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Solution:

    The AD-Useraccounts may not contain German 'Umlaute' in first and last name.

    Regards
    Peter