Authentication: Web Filter User-to-IP Mapping
We need the user's ip mapping. Once a user is authenticated against the http proxy, the user source ip should be mapped in the user's object, so that we can create policy per user
In addition to the Advanced Threat Protection we would like to know which user needs assistence with their virus/trojan problems.
Jaco Fourie commented
It has been some time that this has been requested. We need this also ASAP. We need to be able to show who did what on the network not just the IP addresses. We use DHCP to hand out IP's, we have more than 4000 ip's so it is a huge mission to figure out who did what. If we can map the IP to the user based on the authentication at the UTM using any method not using the agent only as we have mobile phones as well as Linux desktops that can not use the agent. When will this feature be available ?
Martin Herbert commented
I need this feature too. We need to add snat to our users for access a special external network. Because we use dhcp, we need to edit our snat's after changing user workstations to hold the functionality. The webproxy of astaro reads the ip from the usersource/userdirectory (edir/ads). It would be very helpful to add this ip to the remotely authenticated user object.
Hi Gabryel. Note that isn't the same thing. In this case, the user request for this feature is to have the proxy authentication map over to a user object for other uses. We in 8.200 will map IP's to users if they make use of the Astaro Authentication Agent, but simply authing against the HTTP proxy won't trigger the same thing in the user object.
Included in 8.200 - official release on 21st of July 2011
Please, make it possible to map users to IP for IM/P2P policing
We desperately need this feature!
Marco Feuerstein commented
Okay we also need this feature.
We want User-Based Paketfilter Rules instead of IP-based.
So if Astaro would identify the user over the Proxy Function it would be awesome!
Our workaround in the moment is a dial in via OpenVPN, also from inside of the network. So we can configure user-based policies for special needs.
it´s urgent needed like Cisco´s way to give users the ability for flexible useraccess to internal ressources.
If you wanna configure a packet filter rule based on user and NOT ip address, there is NO chance to have it right now. Having a great authentication module, there are many customers with dozen of PCs that have NOT a fixed IP address configure on each PC, but only DHCP, that would like to allow whole internet traffic in based of who is surfing internet.
Many competitors have this feature already, and in my opinion it's a key feature, since ASTARO is able to map in the middleware (so in the packet filter rules) the user's IP address is provided by the ASG, such ROAD WARRIOR IPSEC VPN with IKE config turned (IKE CONFING is a kind of DHCP over VPN) or SSL VPN. If you configure an STATIC IP address in a USER object, this ip address will be mapped in the middle once the IPSEC connetion will be triggered. At the same time, would be very useful and confortable to have the same thing when a user authenticates himself agaist the HTTP PROXY, since the HTTP PROXY knows user and IP address is trying to estabilish a connection with it.
Bob Alfson commented
What problem are you trying to address? How is this different from existing functionality?