Home  Prev  cOS Core 15.00.02 Administration Guide  Next

10.4. IP Policies Requiring Authentication

Once a user is authenticated to cOS Core, it is then possible to create entries in the IP rule set which require that a user is authenticated before the entry matches and allows the connection.

Furthermore, it is possible to specify one of the following in an IP rule set entry:

Configuring any of these options requires the following:

  1. Create a User Group object which contains the user or group the connecting user belongs to in e.g. the Local User Database in cOS Core.

  2. Create an IP rule set entry that allows access to resources by clients and use the User Group object created above for the Source User Group or Destination User Group property of the entry. The source and destination are used in the following ways:

    • The Source User Group property would typically be set to only allow access by authenticated clients to certain resources such as servers.

    • The Destination User Group property would typically be set to only allow access to authenticated servers by clients. this will mean that the IP Policy entry will then only apply to logged-in clients who also belong to the defined Destination networks.

Example 10.7. Creating an IP Policy Requiring Authentication

This example shows how an IP policy is created that allows clients connecting through the LAN interface to have unrestricted access to networks on the WAN interface only if they are members of a group called users.

It is assumed that a user database already exists that contains users belonging to the group "users".

Command-Line Interface

Create the User Group object that specifies the user group connecting clients must belong to in order to match the policy: 

Device:/> add UserGroup MyGroup
			 Members=users

Create the IP Policy object that grants access to the network on the interface LAN called LAN_net as the source network: 

Device:/> add IPPolicy Name=client_access_policy
			Action=Allow
			SourceInterface=LAN
			SourceNetwork=LAN_net
			DestinationInterface=WAN
			DestinationNetwork=all-nets
			Service=all_services
			SourceUserGroup=MyGroup

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Create a User Group object:

  1. Go to: Objects > General > User Group > Add > User Group
  2. Now enter:
    • Name: MyGroup
    • User Auth Groups: users
  3. Click OK

Create an IP Policy object that grants access to the networks on the interface WAN using the User Auth object created above as the source User Group:

  1. Go to: Policies > Firewalling > Main IP Rules > Add > IP Policy
  2. Now enter:
    • Name: client_access_policy
    • Action: Allow
  3. Under Filter enter:
    • Source Interface: LAN
    • Source Network: LAN_net
    • Destination Interface: WAN
    • Destination Network: all-nets
    • Service: all_services
  4. Under Advanced Filter enter:
    • Source User Group: MyGroup
  5. Click OK

Home  Prev   Next