Author Topic: Can I create specific rules per Active Directory group within the Proxy? (Read 2828 times)

jackc · « **on:** August 09, 2023, 03:57:28 pm »

Good morning,
Can I create specific rules per Active Directory group within the Proxy?

wincent · « **Reply #1 on:** September 07, 2023, 05:08:49 am »

Do you mean to create rules for different users/user groups in AD's group policy?

Amr · « **Reply #2 on:** November 02, 2023, 02:38:28 pm »

Squid proxy can do kerberos authentication, however there's a couple of catches:

Neither squid nor opnsense officially support it(not sure if there's an enterprise plugin for it or not), so you'll need to install custom packages (samba, heimdal-clients\MIT, overwrite your custom changes to squid by using templates to survive updates, join the machine to the domain and get a keytab with HTTP principal, have a second system to test for updates compatibility, Frankly lots of work
you can't run the proxy in transparent mode, you have to configure clients to use the proxy(MITM is PITA anyway)

A possible workaround:

Dynamically assign clients DHCP based on group membership (if your DHCP server supports that, or if you have a NAC), if your environment is small or you can't do DHCP based on Role you can give out static IPs to known clients, and put unknown clients in a separate VLAN/IP range behind a captive portal
Segment your network into VLANs (Guest VLAN, Accounting VLAN, Marketing VLAN, etc) and assign clients to each VLAN based on role/known client mac (static mapping)
From CLI configure squid to have separate ACL for each segment of network/VLAN, Here's a link to get started: https://forum.opnsense.org/index.php?topic=16171