It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

User does not match the Proventia Webfilter rules

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00005203 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

Users, that successfully authenticate on the Proxy-Server, do not match the specified rules of the Proventia Webfilter


 
Solution:

The problem can be a empty group-field of the authentication server.

Normally the authentication server returns user-group informations (CN=user01,CN=users,DC=company,DC=com), which are uses to match in Proventia Webfilter rules. In some cases the authenticator does not deliver group informations.

 

You could verificate that in the "Log" > "Box" > "Control" > "phibs.log", if there occurs messages like this.

Authresult: ID=127.0.0.1:12073-1; Result: Authentication Ok (1); Server: CompanyAD; Status: Ready (1); groups=

 

You see, that the group-information-field is empty. The correct output must look like this:

Authresult: ID=127.0.0.1:12073-1; Result: Authentication Ok (1); Server: CompanyAD; Status: Ready (1); groups=CN=user01,CN=users,DC=company,DC=com

 

Only if the group-field returns group-information, than you may filter on this attributes in the Proventia Webfilter configuration.

 

 

Mostly a wrong configuration of the authentication schemes on the netfence box are the reason, why no group-information returns. Here some reasons for a wron configuration.

 

The authentication with scheme "MSAD" returns no group-information:
The searching-user has not the required permission. Try the domain-administrator user as seraching-user

 

The authentication with scheme "MSCHAP" returns no group-information:
The netfence box has not a vaild join to the domain.

 

The authentication with scheme "LDAP" returns no group-information:
The "Group Attribute" uses a wrong entrie. For LDAP you have to tell the authentiction-server, which attribute-field you will request.

 

Example authentication-schemes configuration for Microsoft LDAP:
  Group Attribute = memberof

 

Example authentication-schemes configuration for Netware eDirectory LDAP:

  Group Attribute = groupMembership


This examples uses the default attributes for each LDAP authentication-server and they could differ in customized setups.



The authentication with scheme "RADIUS" returns no group-information:

The "Group Attribute" uses a wrong entrie. For LDAP you have to tell the authentiction-server, which attribute-field you will request.

 

Example authentication-schemes configuration for RADIUS:

  Group Attribute = Login-LAT-Group

 

This examples uses the default attributes for each RADIUS authentication-server and they could differ in customized setups.

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKZwAAO