OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: jackc on August 09, 2023, 03:57:28 pm
-
Good morning,
Can I create specific rules per Active Directory group within the Proxy?
-
Do you mean to create rules for different users/user groups in AD's group policy?
-
Squid proxy can do kerberos authentication, however there's a couple of catches:
- Neither squid nor opnsense officially support it(not sure if there's an enterprise plugin for it or not), so you'll need to install custom packages (samba, heimdal-clients\MIT, overwrite your custom changes to squid by using templates to survive updates, join the machine to the domain and get a keytab with HTTP principal, have a second system to test for updates compatibility, Frankly lots of work
- you can't run the proxy in transparent mode, you have to configure clients to use the proxy(MITM is PITA anyway)
A possible workaround:
- Dynamically assign clients DHCP based on group membership (if your DHCP server supports that, or if you have a NAC), if your environment is small or you can't do DHCP based on Role you can give out static IPs to known clients, and put unknown clients in a separate VLAN/IP range behind a captive portal
- Segment your network into VLANs (Guest VLAN, Accounting VLAN, Marketing VLAN, etc) and assign clients to each VLAN based on role/known client mac (static mapping)
- From CLI configure squid to have separate ACL for each segment of network/VLAN, Here's a link to get started: https://forum.opnsense.org/index.php?topic=16171 (https://forum.opnsense.org/index.php?topic=16171)