Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4844 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering not seeing AD Group Change

gr33ny

Hi

We have an SG210 running firmware 9.413-4.

I have Web Filtering enabled in Standard Mode using AD SSO, we use different AD groups to allow access to different categories.

I have changed a user from one group to another but they are not able to access websites that they should be able to (as a member of that group).

Using the Policy Tester I can see that the website is allowed and the user is in the group that I have just moved them to.

Looking in the Web Filter Live Log it is saying the user is blocked from the website because they are still a member of the old group.

Is this expected behaviour, and if so is there a work-around?

Many thanks

Paul



This thread was automatically locked due to age.
  • +1

    Hi Paul,

    There are several timeout/caches to deal with if you change the group membership of the user.

    Did you use "Active Directory Group Membership Synchronization" in Authentication Services / Advanced Tab?

    Have you tried to flush the Authentication cache in Authentication Services / Global Tab?

    I'm not sure, but i think the AD SSO also caches IP to User/Group Informations for a short time.

     

    Last one is the sequence of the web filter policies in the web filter profile. If the user is still in the old group and the policy with the new group is below the old group, then old policy is choosen.

     

    Good luck!

    CS

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    Thanks for the tips - flushed the cache and all is hunky dory

Unfiltered HTML