topic unauthenticated users in General Topics

unauthenticated users

LCMember1607 — Mon, 28 Jan 2013 17:42:39 GMT

Is there a simple way to prevent unauthenticated users from accessing the internet from the inside?

It is my understanding that you cannot negate AD Groups? True?

I was hoping to create a policy like this that would deny any unauthenticated users from accessing the internet.

Zone Address User Zone Address Action

LAN Any domain/domain users WAN Any Allow

NEGATE

Re: unauthenticated users

filipe — Mon, 28 Jan 2013 18:31:02 GMT

The simplest being deny all access to 'unknown-user' in the "source user" field. That way only authenticated users will be able to gain access to whatever rules you permit whereas any unauthenticated traffic will be dropped.

Does that help?

Re: unauthenticated users

mikand — Mon, 28 Jan 2013 18:35:33 GMT

If you setup a security policy like:

Zone: LAN

Address: Any

User: domain/domain users

Zone: WAN

Address: Any

Action: Allow

followed with a (the built in default deny rule doesnt log):

Zone: Any

Address: Any

User: Any

Zone: Any

Address: Any

Action: Deny

Options: Log on session end

Then only clients from your LAN zone which are authenticated against the AD and belongs to the domain users group will be allowed to pass through.

Re: unauthenticated users

LCMember1607 — Mon, 28 Jan 2013 20:18:40 GMT

I have no such user called unknown-user in the user tab of the Security Policy Rule.

Re: unauthenticated users

filipe — Mon, 28 Jan 2013 20:25:49 GMT

Bill, I'm sorry. It's just "unknown" in the source user option:

Any traffic the PA is unable to correlate user <-> ip, using whichever authentication methods, is treated as "unknown" in the user field.

You can use the "unknown" user as an object for a Deny rule.

Hope it helps.

Re: unauthenticated users

LCMember1607 — Thu, 07 Feb 2013 19:56:53 GMT

Thanks Filipe, that's what I was looking for.