Question: STAS User Object without IP

Hi there,

i just activated STAS and get the following infos in the log:

2016:02:17-17:24:17 firewall argos[23997]: [stas_event]: Received STAS package
2016:02:17-17:24:17 firewall argos[23997]: [stas_event]: Read 249 bytes from IP 1.1.1.1:49544
2016:02:17-17:24:17 firewall argos[23997]: [process_stas_request]: Processing STAS request TRANSPARENT_SSO_LOGON
2016:02:17-17:24:17 firewall argos[23997]: [handle_transparent_sso_request]: Received login sso request: username robert, ip_address 10.10.10.12, domain_name my domain

But the userobject "robert" is still without IP Address, why? :)

Regards

Robert

Parents
  • Hi Robert,

    We use ipsets to store the ip address of an user. Here an example:

    I authenticated a user and created a packetfilter rule for an user:
    qa-320-c4:/root # iptables-save |grep 4_
    -A USR_FORWARD -m set --match-set 4_NetAaaAduseUserNetwo src -m logmark --logmark 1 -j LOGACCEPT

    There you can see the name of the ipset with the IP address:
    qa-320-c4:/root # ipset -L 4_NetAaaAduseUserNetwo
    Name: 4_NetAaaAduseUserNetwo
    Type: hash:ip
    Revision: 0
    Header: family inet hashsize 4 maxelem 65536
    Size in memory: 200
    References: 1
    Members:
    10.8.63.118

    The user / user network objects doesn't contain the ip addresses for performance reasons. It's the same as with the SAA.
    I hope this answer is helpful. :)

    /Daniel

    Windows has detected you do not have a keyboard. Press 'F9" to continue.

  • Hi Daniel,

    not completly... I had a Packetfilterrule 13 which allowes the User Robert to access everything and a rule 14 which allows the IP 10.10.10.12 to access everything. As Rule 13 is above 14 this rule should be triggerd. But all i could see was rule 14 beeing triggerd. Do you know why?

    Robert
Reply Children