Statically 'map' an IP Address to an AD SSO User

Hey Gary.

Not that I'm aware. You could use "Browser" authentication method on this additional interface though. That way users would be redirected to a authentication portal and would need to provide theirs credentials before being able to browse the internet, that way they would get their user based policy. The bad side of this approach is that users would require to authenticate every time they close their browser or their sessions times out. The plus side is that you can reuse your current policies.

You could stick with IPs and create different profiles for different IPs or groups of IPs. The plus side is that users would not need to authenticate constantly. The bad side is that every new device would require a DHCP reservation and a new profile or to be added to a existing profile. It's doable, but it's high maintenance. 

Regards,

Giovani

Hi Giovani,

I've done a quick test with the Browser authentication, which seems to work OK with a browser.  I imagine that to allow apps to work, the user would need to open a browser and authenticate first.  Do you have any idea how long a session would need to be idle for before timing out?

I'm looking at a small number of devices, so DHCP reservations is fairly manageable.  Unfortunately, the 'Allowed networks' section of the Web Filter Profile doesn't seem to take IP Ranges.  Is there a way around this without having to add each individual device's IP into the Allowed networks list?

Hi Giovani,

I've done a quick test with the Browser authentication, which seems to work OK with a browser.  I imagine that to allow apps to work, the user would need to open a browser and authenticate first.  Do you have any idea how long a session would need to be idle for before timing out?

I'm looking at a small number of devices, so DHCP reservations is fairly manageable.  Unfortunately, the 'Allowed networks' section of the Web Filter Profile doesn't seem to take IP Ranges.  Is there a way around this without having to add each individual device's IP into the Allowed networks list?

How are you currently assigning IP addresses to these devices, Gary?

Cheers - Bob

BAlfson said:

How are you currently assigning IP addresses to these devices, Gary?

The IP's are allocated via a DHCP Server, with static reservations in place.

"Reservations" means you're not using the UTM's DHCP server capability to assign IPs.  Assuming your LAN is 172.16.0.0/24, I would put all of the reservations into something like 172.16.0.16/28 along with placeholders for future additions so that your DHCP server doesn't assign anything in that range to other devices.

Cheers - Bob

BAlfson said:

"Reservations" means you're not using the UTM's DHCP server capability to assign IPs.  Assuming your LAN is 172.16.0.0/24, I would put all of the reservations into something like 172.16.0.16/28 along with placeholders for future additions so that your DHCP server doesn't assign anything in that range to other devices.

If I follow you correctly, I think I came up with the same solution accidentally when I was trying to manually define an object for one of the devices earlier today.  I'd left the Type set as 'Network', rather than 'Host', which brought up an error.  The subnet these devices will sit in is /24, but I've defined part of it on the UTM as a /27.  I haven't been able to test this yet, but I wasn't sure if the UTM would detect that I was trying to 'cheat' since the request actually comes from a /24 subnet.  I'll have to test and let you know.

If this works, then I'll define a new 'Network' in UTM for each different policy I need to match devices up to.

Of course, this will give me the results I need from a user perspective.  Unfortunately, it won't match up the traffic with the user account for reports, but I don't think there's much I can do about that.

In order to do that, you will only need to define a Host in WebAdmin for each device, Gary.

Cheers - Bob