User objects restrict firewall rules to specific users and user groups. You can apply user objects to forwarding firewall rules and specify user conditions such as login names, groups, and policy role patterns. You also have the option to include VPN groups in the object configuration.
User objects are populated by querying the external authentication servers or the local authentication service on the Barracuda NG Firewall. For VPN, users objects can also query X.509 certificate patterns.
User Conditions
When you create a new user object, configure the following settings in the User Condition configuration window to define the users that the user object applies to:
Authentication Pattern – The group assignments of the users, according to the affected external authentication scheme (MSAD, LDAP, or RADIUS).
- Policy Roles Patterns – The policy role patterns for VPN users when using the Barracuda Network Access Client. You can select:
- healthy
- unhealthy
- untrusted
- probation
- X509 Certificate Pattern – The certificate conditions for VPN users and groups:
- Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with a forward slash (/). For example, if OU=test1 and OU=test2 are required, select OU and enter
test1/test2
.
- Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with a forward slash (/). For example, if OU=test1 and OU=test2 are required, select OU and enter
Policy/AltName – The ISO number and the SubjectAltName according to the certificate.
- VPN User Pattern – The VPN login and VPN group policy that the object has to apply to in the VPN Group field.
- Authentication Method – In this section, you can specify the following settings:
- Origin – Defines the type of originator. The following originators are available when configured:
- VPNP (PersonalVPN)
- VPNG (GroupVPN)
- VPNT (Tunnel)
- HTTP (Browser login)
- Proxy (Login via proxy)
Server/Service/Box – Allows enforcing authentication on a certain server/service/box.
- Origin – Defines the type of originator. The following originators are available when configured: