Jump to content

SSL Forward Proxy - access based on group membership in AD/LDAP


Recommended Posts

I would like to extract group memberships from AD, and based on a more or less dynamic policy allow/deny users access based on their group membership.

I have the following configured:

add authentication ldapAction windows -serverIP 172.16.1.149 -ldapBase "CN=Users,DC=inttest,DC=conecto,DC=dk" -ldapBindDn nsldap@inttest.conecto.dk -ldapLoginName networkAddress -groupAttrName memberOf -authentication DISABLED -requireUser NO -Attrib ute1 sAMAccountName

my SWG is in transparentmode

dd cs vserver swgVS PROXY * * -cltTimeout 180 -Listenpolicy "(CLIENT.IP.SRC.EQ(172.16.1.149) && (CLIENT.TCP.DSTPORT.EQ(80)||CLIENT.TCP.DSTPORT.EQ(443)))" -authn401 ON -authnVsName aaavs_local -netProfile netprofile_172.16.1.198 -persistenceType NONE

add authentication Policy auth_ldap -rule true -action windows

bind authentication vserver aaavs_local -policy auth_ldap -priority 100 -gotoPriorityExpression NEXT

to control the traffic i have the following

Logging:

add audit messageaction mstact_log_allow INFORMATIONAL ""ALLOWED - User: " + AAA.USER.NAME + " Groups: " + AAA.USER.GROUPS.TO_LOWER.AFTER_STR("proxy_").BEFORE_STR(",") +" tries to access: " + HTTP.REQ.HOSTNAME.TO_LOWER"

add audit messageaction mstact_log INFORMATIONAL ""DENIED - User: " + AAA.USER.NAME + " Groups: " + AAA.USER.GROUPS.TO_LOWER.AFTER_STR("proxy_").BEFORE_STR(",") +" tries to access: " + HTTP.REQ.HOSTNAME.TO_LOWER"

Responder:

add responder policy rspol_noop true DROP -logAction mstact_log

add responder policy rwpol_allow_group "HTTP.REQ.HOSTNAME.TO_LOWER.CONTAINS(AAA.USER.GROUPS.TO_LOWER.AFTER_STR("proxy_").BEFORE_STR(","))" NOOP -logAction mstact_log_allow

bind cs vserver swgVS -policyName rwpol_allow_group -priority 90 -gotoPriorityExpression END -type REQUEST

bind cs vserver swgVS -policyName rspol_noop -priority 100 -gotoPriorityExpression END -type REQUEST

Authorization:

add authorization policy auth_allow "HTTP.REQ.HOSTNAME.TO_LOWER.CONTAINS(AAA.USER.GROUPS.TO_LOWER.AFTER_STR("proxy_").BEFORE_STR(","))" ALLOW

add authorization policy auth_deny true ALLOW

bind cs vserver swgVS -policyName auth_allow -priority 100 -gotoPriorityExpression END -type REQUEST

bind cs vserver swgVS -policyName auth_deny -priority 1000 -gotoPriorityExpression END -type REQUEST

i would prefer Responder/Rewrite policies, as it gives me a logging option (actually i dont see authorization policies as an option when it cannot provide additional logs)

There is no clear pattern in what works, and what does not. Has someone done something similar with success? What am i blind for? (i have not worked that intensively with SSL Forward Proxy)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...