• firewallgeeks@gmail.com
  • Bangalore

How To Prioritize Authentication Policy Over IP Based Policy

Here in this article let us understand how to prioritize authentication based policy over IP based policy. Before that lets understand what is IP based policy and authentication policy.

User Based Policy:

If we define any user or user group in source field of firewall policy, then we will call it as authentication policy. In order to match that policy first user will be prompted for authentication, only if the user proves his identity user will be matched that policy.

For example:

user policy

If we could see in the top image, it is firewall policy and we have mentioned “guest” user in place of source field which made it as “user based policy”

IP Based Policy:

In IP based firewall policy we will not define any users in place of source field, we will define only IP address in place of source field. Then it will become IP based policy.

ip policy

Usually if the user policy is on top for some destination and if there is any IP based policy for the same destination in bottom, firewall will prioritize IP based policy and traffic might match IP based policy.

In order to change this default behavior, we need to change setting in CLI, please follow the below steps:

Login To CLI:

Execute the below commands:

config user setting

set auth-on-demand <always | implicitly>

end

Always: It means firewall authentication will be prioritized

Implicitly: It means firewall will have default behavior

You can change this setting to always:

config user setting

set auth-on-demand always

end

Now user based policy will take precedence over the IP based policy.

Hope this article helps you 🙂

 

Leave a Reply

Your email address will not be published.