cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 2

Is There a way to Match User to Client IP When Authentication is Bypassed?

Jump to solution

Some applications do not know how to authenticate to a explicit proxy. This is not an issue if MCP is used to direct the traffic because MCP can authenticate applications regardless of whether or not they are proxy aware.

If MCP is not used, then authentication bypasses are required, usually based on some combination of user-agent string, client IP, and destination criteria. This allows the apps to work, but results in no user data in the logging.

If we are talking about a client that runs other applications like browsers that can authenticate, it would be beneficial to historically map IPs to users whenever actual authentication is performed and then save that mapping to be used when authentication is bypassed. How can this be done?

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Is There a way to Match User to Client IP When Authentication is Bypassed?

Jump to solution

Yes this can be done using PDStorage. Note, PDStorage is not available in the cloud service, but MCP is typically used to connect to the cloud and MCP never requires authentication bypass.

The attached ruleset should be placed after your authentication rules so that PDStorage gets set for an IP whenever a user is successfully authenticated. The mapping will be retained for 24 hours but will be reset any time the IP to authenticated user no longer matches after an authentication.

If the transaction has been authenticated and there is already a mapping we do nothing unless the mapping doesn't match the authenticated user. If the transaction is authenticated and there is no mapping for the user, we create a mapping from the IP to the username and the user groups. And finally if the transaction has not been authenticated and there is a mapping, we retrieve the username and usergroups. 

This ruleset will work as long as users have unique IPs, it will also work when a user has multiple IPs or changes IPs as long as another user isn't simultaneously using the same IP to connect to MWG (behind a NAT)

You can adjust the timeouts on PDStorage as desired. The shorter you make the timeout (I used 5 minutes) the less likely you will get a mapping for a transaction that bypasses authentication. But the longer you use, the more likely your mapping will be wrong if the unauthenticated transaction is the first transaction after a different user gets the IP.

If you want to set IsAuthenticated equals true in a final rule when Authentication.UserName is no longer null, that is possible simply by enabling the rule. I chose to leave it disabled, because this isn't a true authentication.

Persistent Auth by IP Local Only
[This ruleset uses PDStorage to save authenticated
user information by IP for reuse when requests
bypass authentication. This will not work properly
for client IPs that are shared by multiple users
simultaneously, but it will work for a user
simultaneously using multiple IPs]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled If Authenticated Update UserName and Groups Mapping
1: Authentication.IsAuthenticated equals true
2: AND (PDStorage.HasUserData(IP.ToString(Client.IP))<Persistent Auth by IP - 5 Minutes> equals false
3: OR String.ReplaceIfEquals(Authentication.UserName,PDStorage.GetUserData.String(IP.ToString(Client.IP))<Persistent Auth by IP - 5 Minutes>,"") does not equal "")
Stop Rule Set PDStorage.AddUserData.String(IP.ToString(Client.IP),Authentication.UserName)<Persistent Auth by IP - 5 Minutes>
PDStorage.AddGlobalData.String(String.Concat("UN:",IP.ToString(Client.IP)),Authentication.UserName)<Persistent UserGroups Auth - 1 Day>
PDStorage.AddGlobalData.List.String(String.Concat("UG:",IP.ToString(Client.IP)),Authentication.UserGroups)<Persistent UserGroups Auth - 1 Day>
 
[✔] Enabled Set Authenticated.Username to Stored Values for IP
1: Authentication.IsAuthenticated equals false
Continue Set Authentication.UserName = PDStorage.GetGlobalData.String(String.Concat("UN:",IP.ToString(Client.IP)))<Persistent UserGroups Auth - 1 Day>  
[✔] Enabled Set Authenticated.UserGroups to Stored Values for IP
1: Authentication.IsAuthenticated equals false
Continue Set Authentication.UserGroups = PDStorage.GetGlobalData.List.String(String.Concat("UG:",IP.ToString(Client.IP)))<Persistent UserGroups Auth - 1 Day>  
[✘] Disabled Set IsAuthenticated Equals True
1: Authentication.UserName does not equal ""
Continue Set Authentication.IsAuthenticated = true Optional - Default is off as this is not true authentication and may be
inaccurate

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Is There a way to Match User to Client IP When Authentication is Bypassed?

Jump to solution

Yes this can be done using PDStorage. Note, PDStorage is not available in the cloud service, but MCP is typically used to connect to the cloud and MCP never requires authentication bypass.

The attached ruleset should be placed after your authentication rules so that PDStorage gets set for an IP whenever a user is successfully authenticated. The mapping will be retained for 24 hours but will be reset any time the IP to authenticated user no longer matches after an authentication.

If the transaction has been authenticated and there is already a mapping we do nothing unless the mapping doesn't match the authenticated user. If the transaction is authenticated and there is no mapping for the user, we create a mapping from the IP to the username and the user groups. And finally if the transaction has not been authenticated and there is a mapping, we retrieve the username and usergroups. 

This ruleset will work as long as users have unique IPs, it will also work when a user has multiple IPs or changes IPs as long as another user isn't simultaneously using the same IP to connect to MWG (behind a NAT)

You can adjust the timeouts on PDStorage as desired. The shorter you make the timeout (I used 5 minutes) the less likely you will get a mapping for a transaction that bypasses authentication. But the longer you use, the more likely your mapping will be wrong if the unauthenticated transaction is the first transaction after a different user gets the IP.

If you want to set IsAuthenticated equals true in a final rule when Authentication.UserName is no longer null, that is possible simply by enabling the rule. I chose to leave it disabled, because this isn't a true authentication.

Persistent Auth by IP Local Only
[This ruleset uses PDStorage to save authenticated
user information by IP for reuse when requests
bypass authentication. This will not work properly
for client IPs that are shared by multiple users
simultaneously, but it will work for a user
simultaneously using multiple IPs]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled If Authenticated Update UserName and Groups Mapping
1: Authentication.IsAuthenticated equals true
2: AND (PDStorage.HasUserData(IP.ToString(Client.IP))<Persistent Auth by IP - 5 Minutes> equals false
3: OR String.ReplaceIfEquals(Authentication.UserName,PDStorage.GetUserData.String(IP.ToString(Client.IP))<Persistent Auth by IP - 5 Minutes>,"") does not equal "")
Stop Rule Set PDStorage.AddUserData.String(IP.ToString(Client.IP),Authentication.UserName)<Persistent Auth by IP - 5 Minutes>
PDStorage.AddGlobalData.String(String.Concat("UN:",IP.ToString(Client.IP)),Authentication.UserName)<Persistent UserGroups Auth - 1 Day>
PDStorage.AddGlobalData.List.String(String.Concat("UG:",IP.ToString(Client.IP)),Authentication.UserGroups)<Persistent UserGroups Auth - 1 Day>
 
[✔] Enabled Set Authenticated.Username to Stored Values for IP
1: Authentication.IsAuthenticated equals false
Continue Set Authentication.UserName = PDStorage.GetGlobalData.String(String.Concat("UN:",IP.ToString(Client.IP)))<Persistent UserGroups Auth - 1 Day>  
[✔] Enabled Set Authenticated.UserGroups to Stored Values for IP
1: Authentication.IsAuthenticated equals false
Continue Set Authentication.UserGroups = PDStorage.GetGlobalData.List.String(String.Concat("UG:",IP.ToString(Client.IP)))<Persistent UserGroups Auth - 1 Day>  
[✘] Disabled Set IsAuthenticated Equals True
1: Authentication.UserName does not equal ""
Continue Set Authentication.IsAuthenticated = true Optional - Default is off as this is not true authentication and may be
inaccurate

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community