2 Replies Latest reply on Nov 6, 2012 3:34 AM by itsec

    AD Authentication methods

    itsec

      I have picked up a project where the company is migrating from v6 to v7 so I am looking at the current v7.3 as the production version.

       

      The existing testbox is 7.2 and I am getting a little confused as to which is the best authentication method for an AD environment - those imported by 'authorisation server.xml' or the rule set 'Authentication Server (Time/IP based Session)'

       

      The authentication ruleset on the 7.2 box is the imported  'authorisation server.xml' available from McAfee however protocol SSL has been removed from the 'Authentication server redirection' rule.  I am not sure why.  SSL scanning is currently disabled. 

       

      Can someone explain the difference between the following rules and recommend which should be used?  I will try and be clear but please let me know if further explanation is needed.

       

      1)

      Top level Rule set:     Authentication Server (Time/IP based Session)

      Nested Rule set:     Check for Valid Authentication Session > Criteria: Authentication.IsServerRequest=false AND protocol = HTTP OR HTTPS OR SSL.

       

      Rule FixHostname > if comand = CERTVERIFY AND CN has no wildcards then set URL.Host to the CN of the server certificate

       

      Rule Redirect clients with no valid session to Auth Server > Authentication.Autheticate = false AND command does not = CONNECT then action = authenticate

       

      2)

      Top level Rule set:     Authentication Server

      Nested Rule Set:     Authentication Server Redirection > Criteria: Authentication.IsServerRequest=false AND protocol = HTTP OR HTTPS OR SSL AND Command does not = CONNECT or CERTVERIFY

       

      Rule Redirect to Auth Server > Authentication.Autheticate = false  then action = authenticate

       

      The second nested ruleset is the same in both rulesets.  They appear to be very similar but with different criteris on CONNECT and CERTVERIFY

       

      thanks

        • 1. Re: AD Authentication methods
          Jon Scholten

          Just use the latest one (Authentication Server Time/IP based Session) from the ruleset library if you are on 7.2.0.2 or higher.

           

          Background being the ruleset has evolved overtime and criterias have changed, the latest one is the best (the second one you mentioned sounds like the original).

           

          In the latest one there is even a rule that allows you to only authenticate under ideal conditions so you dont have to redirect away from HTTPS sites (and potentially get a certificate error).

           

          Best,

          Jon

          • 2. Re: AD Authentication methods
            itsec

            ok thanks Jon.  Yes, the second one was from the xml file available for download.