beautypg.com

Policies requiring authentication – Amer Networks E5Web GUI User Manual

Page 548

background image

8.5. Policies Requiring Authentication

Once a user is authenticated to cOS Core, it is then possible to create security policies in the form
of IP rules or IP policies which demand that a user is authenticated before they can access certain
resources.

Furthermore, it is possible to specify one of the following:

1.

The user has a specific username.

2.

The user belongs to a specific user group.

3.

The user is only authenticated and the username or group are not relevant.

Configuring any of these options requires the following:

1.

Create an IP address object which includes the IP address of the connecting user.

2.

Set the authentication property for this IP address object so it requires a specific user or
group or just that the user is authenticated.

3.

Create an IP rule or IP policy that will allow access to resources by clients and use the IP
address object created above for the Source Network or Destination Network property of the
IP rule or IP policy. The source and destination are used in the following ways:

The Source Network property would typically be set to only allow access by
authenticated clients to certain resources such as servers.

The Destination Network property would typically be set to only allow access to
authenticated servers by clients. Authentication of a server is achieved by opening a
single connection once to cOS Core as though the server were a client.

Example 8.5. Policies Requiring Authentication

This example shows how an IP rule is created that allows clients connecting through the If1
interface to have access to networks on the If2 interface only if they are members of a group
called client_group.

Command-Line Interface

Create the IP4Address object that specifies the IP range of connecting clients with the
authentication group client_group:

Device:/> add Address IP4Address client_net

Address=192.168.10.10-192.168.10.255
UserAuthGroups=client_group

Create the IP Rule object that grants access to the networks on the interface If2 using the address
object created above as the source network:

Device:/> add IPRule Action=Allow

Service=all_services
SourceInterface=If1
SourceNetwork=client_net
DestinationInterface=If2
DestinationNetwork=all-nets
Name=client_access_rule

Chapter 8: User Authentication

548

This manual is related to the following products: