Rule-based authentication logic

Rule-based authentication applies the following logic:

1. The rules in filter.config are checked and applied. This action occurs first in every type of Content Gateway user authentication. If a filtering rule is matched, the rule is applied and user authentication processing stops. See Content Gateway filtering rules.
2. If no filtering rule matches, user authentication rule matching is performed.
   1. The requestor’s IP address is checked, top-down, against the rule set.
   2. If the IP address matches a rule, the source port is checked.
   3. If the IP address matches a rule, the User-Agent value is checked.
   4. The first rule matched is applied. If no rule matches, no authentication is attempted.
3. If a rule is matched, the specified authentication protocol is applied against the specified domain. All rule configuration details are applied.
4. If the user is authenticated, the request proceeds or is denied per the assigned policy.
5. The transaction is logged.

To see how the logic is applied in a running environment, you can temporarily enable user authentication debug output. Among other details, the debug output shows the parsing of rules and matching. See Enabling and disabling user authentication debug output.