This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Statically 'map' an IP Address to an AD SSO User

Is there any way I can statically map an IP Address (or preferably a range of IP Addresses) to a particular Active Directory user for web filtering?

 

Current setup:

On one Interface, I have Standard mode proxy with several different access profiles set up for different groups of AD Users.  This works very nicely (and transparently) for users logged onto a domain joined machine.

There are a few devices, which I want to be subject to the same profiles, but aren't joined to the active directory domain (smartphones, tablets, a server running a Java based app which doesn't seem to support proxy authentication).

Is is possible to configure the UTM so that all connections from a particular IP Address (e.g. a smartphone's DHCP reservation) are assumed to be a particular user account, and have web filters apply accordingly?

At present, I have set up an additional interface on the UTM for the Server running a Java app using transparent proxy, and I'm in the process of doing this for the devices which can't authenticate against AD.  However, there are different rules for different devices, and I'd rather not have to make a new Interface for each different policy.

 

Many thanks



This thread was automatically locked due to age.
Parents
  • Hey Gary.

    Not that I'm aware. You could use "Browser" authentication method on this additional interface though. That way users would be redirected to a authentication portal and would need to provide theirs credentials before being able to browse the internet, that way they would get their user based policy. The bad side of this approach is that users would require to authenticate every time they close their browser or their sessions times out. The plus side is that you can reuse your current policies.

     

    You could stick with IPs and create different profiles for different IPs or groups of IPs. The plus side is that users would not need to authenticate constantly. The bad side is that every new device would require a DHCP reservation and a new profile or to be added to a existing profile. It's doable, but it's high maintenance. 

    Regards,

    Giovani

  • Hi Giovani,

     

    I've done a quick test with the Browser authentication, which seems to work OK with a browser.  I imagine that to allow apps to work, the user would need to open a browser and authenticate first.  Do you have any idea how long a session would need to be idle for before timing out?

     

    I'm looking at a small number of devices, so DHCP reservations is fairly manageable.  Unfortunately, the 'Allowed networks' section of the Web Filter Profile doesn't seem to take IP Ranges.  Is there a way around this without having to add each individual device's IP into the Allowed networks list?

  • How are you currently assigning IP addresses to these devices, Gary?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    How are you currently assigning IP addresses to these devices, Gary?

     

    The IP's are allocated via a DHCP Server, with static reservations in place.

  • "Reservations" means you're not using the UTM's DHCP server capability to assign IPs.  Assuming your LAN is 172.16.0.0/24, I would put all of the reservations into something like 172.16.0.16/28 along with placeholders for future additions so that your DHCP server doesn't assign anything in that range to other devices.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    "Reservations" means you're not using the UTM's DHCP server capability to assign IPs.  Assuming your LAN is 172.16.0.0/24, I would put all of the reservations into something like 172.16.0.16/28 along with placeholders for future additions so that your DHCP server doesn't assign anything in that range to other devices.

    If I follow you correctly, I think I came up with the same solution accidentally when I was trying to manually define an object for one of the devices earlier today.  I'd left the Type set as 'Network', rather than 'Host', which brought up an error.  The subnet these devices will sit in is /24, but I've defined part of it on the UTM as a /27.  I haven't been able to test this yet, but I wasn't sure if the UTM would detect that I was trying to 'cheat' since the request actually comes from a /24 subnet.  I'll have to test and let you know.

    If this works, then I'll define a new 'Network' in UTM for each different policy I need to match devices up to.

    Of course, this will give me the results I need from a user perspective.  Unfortunately, it won't match up the traffic with the user account for reports, but I don't think there's much I can do about that.

  • In order to do that, you will only need to define a Host in WebAdmin for each device, Gary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • In order to do that, you will only need to define a Host in WebAdmin for each device, Gary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data