9.4. IP Policies Requiring Authentication

Home Prev	cOS Core 14.00.17 Administration Guide	Next

Once a user is authenticated to cOS Core, it is then possible to create entries in the IP rule set which require that a user is authenticated before the entry allows the connection.

Furthermore, it is possible to specify one of the following in an IP rule set entry:

The user has a specific username.
The user belongs to a specific user group.
The user need only be authenticated and the username or group are not relevant.

Configuring any of these options requires the following:

Create an IP address object which includes the IP address of the connecting user.
Set the authentication property for this IP address object so it requires a specific user or group or just that the user is authenticated.
Create an IP rule set entry that allows access to resources by clients and use the IP address object created above for the Source Network or Destination Network property of the entry. The source and destination are used in the following ways:
- The Source Network property would typically be set to only allow access by authenticated clients to certain resources such as servers.
- The Destination Network property would typically be set to only allow access to authenticated servers by clients. Authentication of a server is achieved by opening a single connection once to cOS Core as though the server were a client.

Example 9.7. Creating an IP Policy Requiring Authentication

This example shows how an IP policy is created that allows clients connecting through the If1 interface to have access to networks on the If2 interface only if they are members of a group called client_group.

Command-Line Interface

Create the IP4Address object that specifies the IP range of connecting clients with the authentication group client_group:

Device:/> add Address IP4Address client_net
			Address=192.168.10.10-192.168.10.255
			UserAuthGroups=client_group

Create the IP Policy object that grants access to the networks on the interface If2 using the address object created above as the source network:

Device:/> add IPPolicy Name=client_access_policy
			SourceInterface=If1
			SourceNetwork=client_net
			DestinationInterface=If2
			DestinationNetwork=all-nets
			Service=all_services
			Action=Allow

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Create the IP4Address object that specifies the IP range of connecting clients with the authentication group client_group:

Go to: Objects > Address Book > Add > IP4 Address
Now enter:
- Name: client_net
- IP Address: 192.168.10.10-192.168.10.255
- User Authentication: client_group
Click OK

Create an IP Policy object that grants access to the networks on the interface If2 using the address object created above as the source network:

Go to: Policies > Firewalling > Main IP Rules > Add > IP Policy
Now enter:
- Name: client_access_policy
- Action: Allow
Under Filter enter:
- Source Interface: If1
- Source Network: client_net
- Destination Interface: If2
- Destination Network: all-nets
- Service: all_services
Click OK

	Note: Authentication address objects have only one use
	IP address objects that are used for authentication with the authentication property set can only be used as the source network or destination network of an IP rule set entry. They cannot be used for other purposes. This will be reflected in the IP address lists presented by the Web Interface or InControl and the tab completion choices provided by the CLI.