Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
2
Replies

Allow to only specific sites

qsnow_ironport
Level 1
Level 1

‎12-01-2007 06:55 AM

We have a group of users that need to be able to only access certain websites. In AD, we have created a group for this and placed those users into the group.

In the web filter, we have created a custom category and added the sites into this category. We then created a policy and added the AD groups into that policy. We then added the custom URL category to the policy with ALLOW rights and gave DENY rights to everything else.

This sounds like it should work from what I understand, however it is still allowing the members of the AD group to access other sites. Looking at the logfile, the username(s) get recognized, however it is falling down to the DEFAULT policy instead of our custom policy.

Any ideas on where we should look for this issue? Is the a possible issue AD group enumeration?

Labels:
0 Helpful
2 Replies 2

Doc_ironport
Level 1
Level 1

‎12-01-2007 02:36 PM

What you've described certainly should work, and I've seen exactly that implemented elsewhere.

The fact that it's hitting the Default group means that it's not an ordering issue (the #1 mistake people make when doing this!) as default is always last.

How long did you wait between adding the users to the group and testing it? If the users had already logged into the S-series then it will have cached their group memberships which might explain why it's not matching. From memory the caching is for an hour be default, so before doing anything else it might be worth testing it again to see that it hasn't magically started working!

Other than that all I can suggest is to double-check what you've done to make sure there's no typo's or logic mistakes. It might be worth trying to implement it for a single user (based on username rather than group) to see if that works, then if it does try going back to the group again.

0 Helpful

qsnow_ironport
Level 1
Level 1

‎12-01-2007 04:59 PM

The AD group has been in place for about a year and the Iron Port only a week. Shouldn't be an issue there. As a test, we did add specific users to the policy instead of the group and the policy worked as we expected it to. It appears there is a problem with the group enumeration.

0 Helpful
Customers Also Viewed These Support Documents