Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
665 Views 3 Replies Latest reply: Jan 3, 2013 10:37 AM by Jon Scholten RSS
nmalonzo Newcomer 12 posts since
May 7, 2012
Currently Being Moderated

Dec 26, 2012 9:29 PM

Policy for multiple AD group user

Hi All,

 

We are currently implementing MWG 7.3 and we are encountering a problem.

 

We have users that are member of multiple group. (e.g GROUP A, B, C)

We have a policy where in if your are a member of a certain group, you have a specific rules for whitelisted URL and blocked categories (same set up per policy w/ specific group).

 

Example:

 

User A is member of GROUP A,B and C.

 

Policy 1 - authentication.usergroup = "Group A" -> Allow all

Policy 2 - authentication.usergroup = "Group B" -> Block Social Networking sites

Policy 3 - authentication.usergroup = "Group C" -> Block all

 

Note. policies are top to bottom within a parent ruleset criteria set = "Alway"

 

Whats happening is Instead of User A authenticates to Policy 1 (Which it should, since policy 1 is in the top) User A goes straight to Policy 2.

 

Should I add another rule to stop the cycle?

 

I'm quite confuse please help me understand.

 

 

Thanks in advance

Nelson

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Dec 27, 2012 10:13 AM (in response to nmalonzo)
    Re: Policy for multiple AD group user

    Hi Nelson,

     

    There are various ways to accomplish this, see below links:

    https://community.mcafee.com/docs/DOC-3649

    https://community.mcafee.com/docs/DOC-2210

     

    Best,

    Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Jan 3, 2013 10:37 AM (in response to nmalonzo)
    Re: Policy for multiple AD group user

    Hi Nelson,

     

    Please let me know if I misinterpretted your request.

     

    The first sentence sounds like once thing:

    -"The setup is, users are member of a certain group initially, to access a certain website users will have to request for internet connection access and once approved they will be added to another group to give access to the sites."

    If the user is added to the other group, then they would be granted access to whatever sites that new group is able to access. There should be no action required on the part of the user except to request to be added to a new group.

     

    The second sentence:

    "how can I parallel this to MWG policy? is it possible to authenticate twice to be able to access the websites that are only available in another group policy which you are memberof aswell?"

    Sounds like you would like the user to "re-authenticate" as another user. Is this correct? Do you have users in your domain with multiple accounts? This sounds different from your first sentence.

     

    Best,

    Jon

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points