We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

User does not match the Proventia Webfilter rules

  • Type: Knowledgebase
  • Date changed: 6 months ago
Solution #00005203 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

Users, that successfully authenticate on the Proxy-Server, do not match the specified rules of the Proventia Webfilter


 
Solution:

The problem can be a empty group-field of the authentication server.

Normally the authentication server returns user-group informations (CN=user01,CN=users,DC=company,DC=com), which are uses to match in Proventia Webfilter rules. In some cases the authenticator does not deliver group informations.

 

You could verificate that in the "Log" > "Box" > "Control" > "phibs.log", if there occurs messages like this.

Authresult: ID=127.0.0.1:12073-1; Result: Authentication Ok (1); Server: CompanyAD; Status: Ready (1); groups=

 

You see, that the group-information-field is empty. The correct output must look like this:

Authresult: ID=127.0.0.1:12073-1; Result: Authentication Ok (1); Server: CompanyAD; Status: Ready (1); groups=CN=user01,CN=users,DC=company,DC=com

 

Only if the group-field returns group-information, than you may filter on this attributes in the Proventia Webfilter configuration.

 

 

Mostly a wrong configuration of the authentication schemes on the netfence box are the reason, why no group-information returns. Here some reasons for a wron configuration.

 

The authentication with scheme "MSAD" returns no group-information:
The searching-user has not the required permission. Try the domain-administrator user as seraching-user

 

The authentication with scheme "MSCHAP" returns no group-information:
The netfence box has not a vaild join to the domain.

 

The authentication with scheme "LDAP" returns no group-information:
The "Group Attribute" uses a wrong entrie. For LDAP you have to tell the authentiction-server, which attribute-field you will request.

 

Example authentication-schemes configuration for Microsoft LDAP:
  Group Attribute = memberof

 

Example authentication-schemes configuration for Netware eDirectory LDAP:

  Group Attribute = groupMembership


This examples uses the default attributes for each LDAP authentication-server and they could differ in customized setups.



The authentication with scheme "RADIUS" returns no group-information:

The "Group Attribute" uses a wrong entrie. For LDAP you have to tell the authentiction-server, which attribute-field you will request.

 

Example authentication-schemes configuration for RADIUS:

  Group Attribute = Login-LAT-Group

 

This examples uses the default attributes for each RADIUS authentication-server and they could differ in customized setups.

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKZwAAO