OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: jackc on August 09, 2023, 03:57:28 pm

Title: Can I create specific rules per Active Directory group within the Proxy?
Post by: jackc on August 09, 2023, 03:57:28 pm

Good morning,
Can I create specific rules per Active Directory group within the Proxy?

Title: Re: Can I create specific rules per Active Directory group within the Proxy?
Post by: wincent on September 07, 2023, 05:08:49 am

Do you mean to create rules for different users/user groups in AD's group policy?

Title: Re: Can I create specific rules per Active Directory group within the Proxy?
Post by: Amr on November 02, 2023, 02:38:28 pm

Squid proxy can do kerberos authentication, however there's a couple of catches:

• Neither squid nor opnsense officially support it(not sure if there's an enterprise plugin for it or not), so you'll need to install custom packages (samba, heimdal-clients\MIT, overwrite  your custom changes to squid by using templates to survive updates, join the machine to the domain and get a keytab with HTTP principal, have a second system to test for updates compatibility, Frankly lots of work
• you can't run the proxy in transparent mode, you have to configure clients to use the proxy(MITM is PITA anyway)

A possible workaround:

• Dynamically assign clients DHCP based on group membership (if your DHCP server supports that, or if you have a NAC), if your environment is small or you can't do DHCP based on Role you can give out static IPs to known clients, and put unknown clients in a separate VLAN/IP range behind a captive portal
• Segment your network into VLANs (Guest VLAN, Accounting VLAN, Marketing VLAN, etc) and assign clients to each VLAN based on role/known client mac (static mapping)
• From CLI configure squid to have separate ACL for each segment of network/VLAN, Here's a link to get started: https://forum.opnsense.org/index.php?topic=16171 (https://forum.opnsense.org/index.php?topic=16171)