Creating an authentication rule

Before you create an authentication rule you must:

  • Enable Rule-Based Authentication on Configure > My Proxy > Basic > General.
  • Configure Global authentication options
  • Create a Rule-based authentication Domain list

You must also know:

  • The name of the domain(s) to be specified in the rule. This is the unique name that was specified when the domain was added to the Domains list.
  • How to match users. By:
    • IP address – individual addresses or address ranges can be specified
    • Inbound proxy port (explicit proxy only)
    • User-Agent values
    • A combination of the above

To create a rule:

Note:

In the Rule editor, after entering all specifiers, click Add before clicking Apply. If Apply is clicked first, or the edit window is closed, all entry fields are cleared.

The size of a rule cannot exceed 2048 characters.

Steps

  1. Go to Configure > Security > Access Control and review and adjust the Global Authentication Options and Domains list.
  2. If AD domains are used with IWA, go to Monitor > Security > Integrated Windows Authentication and confirm that the IWA domains are joined and that connections are established.
  3. Go to Configure > Security > Access Control > Authentication Rules. A list of existing authentication rules is displayed at the top of the page.
  4. Click Edit File to open the rule editor.
  5. If some rules have already been defined, note the order of the rules in the list at the top of the page.
    Important: Rule order matters. The rule match traversal is performed top-to-bottom. Only the first match is applied.
  6. Select Enabled next to Status if you want the rule to be active after the rule is added and Content Gateway is restarted.
  7. Enter a unique Rule Name (required). A short, descriptive name will help you recognize the rule and its purpose. It is recommended that the name not exceed 50 characters.
  8. If the rule applies to specific IP addresses, in the Source IP field, enter a comma- separated list of individual IP addresses and/or IP address ranges. Do not use spaces. For example:

    10.4.1.1,10.12.1.1-10.12.254.254

    The list can contain up to:

    • 64 IPv4 addresses
    • 32 IPv4 address ranges
    • 24 IPv6 addresses
    • 12 IPv6 address ranges

    Source IP address ranges can overlap. Overlapping ranges may be useful as a quick way of identifying sub-groups in a large pool. In overlapping ranges, the first match is used.

    If this field is empty (undefined), all IP addresses match.

  9. If the rule applies to inbound traffic on a specific port, select the Proxy Port from the drop down list. This option is valid with explicit proxy only.

    Inbound ports are specified on the Configure > My Proxy > Protocols > HTTP > General page in the Secondary HTTP Proxy Server Ports field. Client applications must be configured to send requests to the desired port.

    If undefined, all ports match. Transparent proxy deployments should leave the field undefined.

  10. To apply the rule to specific User-Agent values, enter POSIX-compliant regular expressions (regex) to match the desired values. To specify a common browser type, select a Predefined regex from the drop down list and click Include.

    If undefined, all User-Agents match.

    You can edit the field directly.

    Use the “|” character (logical ‘or’) to separate regexes. The “^” regex operator is not supported.

    The regex is validated when the rule is committed to the configuration file, which happens after clicking Add or Set and then Apply. If the regex is not valid, the rule is deleted and must be recreated with a valid regex.

    For an extended description and examples, see Authentication based on User-Agent.

  11. Click Enabled next to Client Certificate to enable client certificate authentication. Click Disabled to disable the feature.
    1. In the drop-down box next to Enabled, select a Client Certificate Authentication profile. See Client certificate authentication profiles.

      Only one profile is allowed.

    2. Check the box next to Use the next selected authentication method if Client Certificate authentication fails to use one of the other authentication methods if certificate authentication fails for a user.

      If this option is not selected, no further authentication is attempted for users who fail certificate authentication.

      If the fallback option is enabled,

      • The Domain Sequence list cannot be empty.
      • Enable HTTP Authentication Page for Captive Portal is not supported and the option is disabled when the fallback option is selected.
  12. Specify the domain(s) to authenticate against.
    1. From the Domains drop down list, select the applicable domain and click Include. Only domains that have been added to the Domains list are available (Configure > Security > Access Control > Domains).
    2. If an ordered list of domains will be used, select each domain one at a time and click Include. Then select domains in the list and use the up and down arrows to achieve the desired order.
      Important: The Fail Open/fail closed setting is applied after every domain in the list is tried.
  13. Next to Captive Portal, click:
    • Enabled for HTTPS Authentication page to redirect users to a customizable web portal page for authentication.

      When this selection is enabled, the page will display using HTTPS.

      When HTTPS is used, a server certification is generated based on the internal root CA. To use this feature, you must import the internal root CA to ensure there is no certificate error. See Importing your Root CA for details.

    • Enabled for HTTP Authentication page to redirect users to a customizable web portal page for authentication.

      With this selection, the page is displayed using the HTTP protocol.

      Note that if client certificate authentication is enabled with Use the next selected authentication method if Client Certificate authentication fails option selected, this option is disabled.

    This option is disabled if an IWA domain is included in the domains list.

    If this option is enabled and an IWA domain is added to the domains list, an error message will display.

    Note that when Content Gateway receives an unauthenticated POST request from a user who matches a Captive Portal rule, it redirects the user to the web portal authentication page and does not record the POST data. After successful authentication, the original POST data must be input again.

    See Authentication using Captive Portal for additional details.

  14. Click Add to add the rule.
  15. At the top of the page, check and adjust the position of the rule in the rule list. The first rule matched is applied.
  16. Click Apply and then restart Content Gateway to put the rule into effect.
    Warning: If a rule has invalid values, a warning message displays that identifies the invalid rule. The rule in not written to the file.