OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: hamad.rauf on April 01, 2019, 03:33:56 pm

Title: User based filtering in sensei
Post by: hamad.rauf on April 01, 2019, 03:33:56 pm

hello i want to know does sensei support user based filtering i am using both application and web controller to block required website .
i want to a super user in sensei who can access all blocked site as well is it possible in sensei to support user based or ip based filtering. ?

thanks

Title: Re: User based filtering in sensei
Post by: franco on April 03, 2019, 06:03:31 pm

Hi there,

Incidentally, I talked to Murat from Sensei about this a few weeks back. This was his response regarding the subject:

Quote

As for Username/Group Identification, we already have the necessary plumbing ready on the Sensei engine side. It has an API and if you feed username/groupname <-> IP address maping via this API, sensei resolves IP addresses to people and can apply rules accordingly.

Our goal is also to have this feature available before 1.0. With that regard, we could do two things:

1. Captive Portal users -> If OPNsense provides this information via a log file or on the backend database, we could poll this information and sensei could report / act according to this information.

2. AD Integration. We'll code a lightweight agent for the AD so that it streams this data to Sensei Enrichment API.

Cheers,
Franco

Title: Re: User based filtering in sensei
Post by: sebastian on April 11, 2019, 11:54:12 pm

Actually, pfsense have had this feature for years, to send the Captive Portal usernames to the proxy via IP adress, so ACL rules could be gated by username or voucher code.

https://github.com/pfsense/pfsense-packages/blob/master/config/squid3/34/check_ip.php

https://github.com/pfsense/pfsense-packages/blob/master/config/squid3/34/squid.inc#L1867

Squid also has support for checking the MAC adress aswell, as long as the squid is the "first router closest to client".

A nice feature would actually be to add this feature to opnsense, with both IP and MAC checking.

An additional feature that could be added, is that if BOTH captive portal and squid is enabled for a interface, the original captive portal handling could be disabled, and instead have a custom "Access Denied" page in squid which contains the captive portal login form.

The gating of users is then done by squid itself. The only thing the captive portal script is doing then, is adding firewall rules for other ports than the proxy. This could also be added to captive portal, an ability to specify which other ports an specific user should have access to, except for the 80 and 443 and 53 ports.
(basically, users always have full access to the proxy, its the proxy itself which then denies users to locations where they are not authorized when they are not logged in)


I guess Sensei has a plugin to squid, thus sensei could act on that auth info?
Or sensei could fetch the information in the same way as squid does in pfsense.