Configure > Security > Access Control > Authentication Rules
The Authentication Rules tab appears in the Access Control list only if you have enabled Rule-Based Authentication in the Features table on the tab.
Use this tab to create and maintain authentication rules. Use the Domains tab to build and maintain a list of domains that can be used in authentication rules. You must configure the Domains list before you define authentication rules.
Be sure to set the Global authentication options.
Authentication Rules | |
Authentication Rule List | Displays a table of the ordered list of rules defined for user authentication. Rules are defined for sets of clients to be authenticated against one or more IWA, LDAP and NTLM domains. See Rule-Based Authentication. |
Refresh |
Updates the table to display the current rules in the auth_rules.config file. |
Edit File |
Opens the authentication rule editor. Warning: Do not edit rules directly in the configuration file.
|
auth_rules.config Configuration File Editor | |
rule display box |
Lists, in order, the current rule set. When user authentication is performed, the list is traversed, top- down and the first match is applied. Select a rule to edit it. The arrows to the left of the box allow you to move the selected rule up or down in the list. The “X” button deletes the selected rule. Rules cannot be more than 2048 characters. |
Add | Adds a new rule. |
Set | Updates the selected rule with the current values. |
Status |
Specifies whether the rule is enabled (active) or disabled after the rule is saved and Content Gateway is restarted. You can create a rule and not enable it until other elements of your network are ready to support it. |
Rule Name | Specifies a unique, descriptive name for the rule. It is recommended that the name not exceed 50 characters. |
Source IP |
Specifies IP addresses or IP address ranges for this rule (must be entered without any spaces). Example: 10.1.1.1 or 0.0.0.0-255.255.255.255 or 10.1.1.1,20.2.2.2,3.0.0.0-3.255.255.255 The comma separated list can contain up to:
|
Proxy Port |
Specifies the inbound port for traffic when Content Gateway is deployed as an explicit proxy. If undefined, all ports match, as configured on .Transparent proxy deployment should leave this field undefined. |
User-Agent | Specifies 1 or more regular expressions used to match text in the User-Agent string, for example to match common browsers. Regexes must be POSIX-compliant. The “^” operator is not supported. When the field is empty, all User-Agent values match. You can edit the field directly. To insert a predefined regex for a common browser, select it from the drop down list and click Add. Multiple regexes can be specified. Use the “|” character to separate entries (logical ‘or’). For more information, including regex examples, see Authentication based on User-Agent. |
Client Certificate |
Click Enabled to enable client certificate authentication. Select Use the next selected authentication method if Client Certificate authentication fails to use one of the other authentication methods if certificate authentication fails for a user. See Client certificate authentication for details. |
Auth Sequence |
Specifies 1 or more domains to use for authentication. Select a domain from the Domains drop down list (populated from the Domains List), and click Include to add it to the list. If you add more than one domain, you can set the order by selecting an entry and using the up and down arrows. You can delete a selected domain with the “X” button. Best practice: If you know what domain a set of users belongs to, create a rule just for that group. Best practice: Place the rule with the largest number of users authenticating with known domain membership at the top of the list. These are the fastest authentications. Best practice: If you don’t know what domain a set of users belongs to, specify the fewest number of domains needed to authenticate the users in the set. Best practice: It is always better to create targeted rules because attempting to authenticate against a large set of domains can introduce noticeable latency. When user authentication is rule-based with a domain list:
For Fail Open:
|
Captive Portal |
Click Enabled for HTTPS/HTTP Authentication page to redirect users to a customizable web portal page for authentication. See Authentication using Captive Portal for details. |
Apply |
Applies the configuration changes. Important: If the rule specifies a regex for User-Agent, the regex is validated when Apply is clicked. If the regex is not valid, the rule is deleted
and must be recreated.
|
Close |
Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost. |