We have a group of users that need to be able to only access certain websites. In AD, we have created a group for this and placed those users into the group.
In the web filter, we have created a custom category and added the sites into this category. We then created a policy and added the AD groups into that policy. We then added the custom URL category to the policy with ALLOW rights and gave DENY rights to everything else.
This sounds like it should work from what I understand, however it is still allowing the members of the AD group to access other sites. Looking at the logfile, the username(s) get recognized, however it is falling down to the DEFAULT policy instead of our custom policy.
Any ideas on where we should look for this issue? Is the a possible issue AD group enumeration?
What you've described certainly should work, and I've seen exactly that implemented elsewhere.
The fact that it's hitting the Default group means that it's not an ordering issue (the #1 mistake people make when doing this!) as default is always last.
How long did you wait between adding the users to the group and testing it? If the users had already logged into the S-series then it will have cached their group memberships which might explain why it's not matching. From memory the caching is for an hour be default, so before doing anything else it might be worth testing it again to see that it hasn't magically started working!
Other than that all I can suggest is to double-check what you've done to make sure there's no typo's or logic mistakes. It might be worth trying to implement it for a single user (based on username rather than group) to see if that works, then if it does try going back to the group again.
The AD group has been in place for about a year and the Iron Port only a week. Shouldn't be an issue there. As a test, we did add specific users to the policy instead of the group and the policy worked as we expected it to. It appears there is a problem with the group enumeration.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...