You can populate a local user list from scratch or modify a local user list that was populated by loading an.htpasswd file.
Important: Because the -c option overwrites the existing file, do not use the option if you are adding users to an existing.htpasswd file.
Note: You can also modify the users and groups once they are loaded on the ProxySG. To modify the list once it is on the appliance, see "Populating a Local User List through the ProxySG" on page 162.
Note: To use the set_auth.pl script, you must have Perl binaries on the system where the script is running.
To create a new, empty local user list:
SGOS#(config) security local-user-list create list_name To modify an existing local user list (can be empty or contain users):
❐ To enter configuration mode:
SGOS#(config) security local-user-list edit list_name SGOS#(config local-user-list list_name)
❐ The following subcommands are available:
SGOS#(config local-user-list list_name) group create group1 SGOS#(config local-user-list list_name) group create group2 SGOS#(config local-user-list list_name) group create group3 SGOS#(config local-user-list list_name) user create username SGOS#(config local-user-list list_name) user edit username
SGOS#(config local-user-list list_name username) group add groupname1 SGOS#(config local-user-list list_name username) group add groupname2 SGOS#(config local-user-list list_name username) password password -or-
SGOS#(config local-user-list list_name username) hashed-password hashed-password
1. (Optional) The user account is enabled by default. To disable a user account: SGOS#(config local-user-list list_name username) disable
ok
2. Repeat for each user you want added to the list. To view the results of an individual user account:
Remain in the user account submode and enter the following command: SGOS#(config local-user-list list_name username) view
admin1
Hashed Password: $1$TvEzpZE$Z2A/OuJU3w5LnEONDHkmg. Enabled: true
Failed Logins: 6 Groups:
group1
Note: To add users and groups to the list, enter the following commands, beginning with groups, since they must exist before you can add them to a user account.
Note: If you enter a plain-text password, the ProxySG hashes the password. If you enter a hashed password, the appliance does not hash it again.
To view the users in the entire list: Exit the user account submode and enter:
SGOS#(config local-user-list list_name username) exit SGOS#(config local-user-list list_name) view
list20
Lockout parameters: Max failed attempts: 60 Lockout duration: 3600 Reset interval: 7200 Users:
admin1
Hashed Password: $1$TvEzpZE$Z2A/OuJU3w5LnEONDHkmg. Enabled: true
Groups: group1 admin2
Hashed Password: $1$sKJvNB3r$xsInBU./2hhBz6xDAHpND. Enabled: true
Groups: group1 group2 admin3
Hashed Password: $1$duuCUt30$keSdIkZVS4RyFz47G78X20 Enabled: true Groups: group2 Groups: group1 group2
To view all the lists on the ProxySG:
SGOS#(config) show security local-user-list Default List: local_user_database
Append users loaded from file to default list: false local_user_database
Lockout parameters: Max failed attempts: 60 Lockout duration: 3600 Reset interval: 7200 Users: Groups: test1 Users: Groups:
To delete groups associated with a user:
SGOS#(config local-user-list list_name username) group remove group_name
To delete users from a list:
SGOS#(config local-user-list list_name) user delete username This will permanently delete the object. Proceed with deletion? (y or n) y
To delete all users from a list:
SGOS#(config local-user-list list_name) user clear ok
The groups remain but have no users. To delete all groups from a list:
SGOS#(config local-user-list list_name) group clear ok
The users remain but do not belong to any groups.
Enhancing Security Settings for the Local User List
You can configure a local user database so that each user account is automatically disabled if too many failed login attempts occur for the account in too short a period, indicating a brute-force password attack on the ProxySG. The security settings are available through the CLI only.
Available security settings are:
❐ Maximum failed attempts: The maximum number of failed password
attempts allowed for an account. When this threshold is reached, the account is disabled (locked). If this is zero, there is no limit. The default is 60 attempts.
❐ Lockout duration: The time after which a locked account is re-enabled. If this is zero, the account does not automatically re-enable, but instead remains locked until manually enabled. The default is 3600 seconds (one hour).
❐ Reset interval: The time after which a failed password count resets after the last failed password attempt. If this is zero, the failed password count resets only when the account is enabled or when its password is changed. The default is 7200 seconds (two hours).
These values are enabled by default on the system for all user account lists. You can change the defaults for each list that exists on the system.
To change the security settings for a specific user account list: 1. Enter the following commands from the (config) prompt:
SGOS#(config) security local-user-list edit list_name
SGOS#(config local-user-list list_name) lockout-duration seconds SGOS#(config local-user-list list_name) max-failed-attempts attempts SGOS#(config local-user-list list_name) reset-interval seconds 2. (Optional) View the settings:
SGOS#(config local-user-list list_name) view listname
Lockout parameters: Max failed attempts: 45 Lockout duration: 3600 Reset interval: 0
3. (Optional) To disable any of these settings:
SGOS#(config local-user-list list_name) no [lockout-duration | max-
Creating the CPL
Be aware that the examples below are just part of a comprehensive authentication policy. By themselves, they are not adequate for your purposes. (The default policy in these examples is deny.)
❐ Every Local-authenticated user is allowed access the ProxySG. <Proxy>
authenticate(LocalRealm)
❐ Group membership is the determining factor in granting access to the ProxySG.
<Proxy>
authenticate(LocalRealm) <Proxy>
group=”group1” allow
❐ A subnet definition determines the members of a group, in this case, members of the Human Resources department.
<Proxy>
authenticate(LocalRealm) <Proxy>
Define subnet HRSubnet 192.168.0.0/16 10.0.0.0/24 End subnet HRSubnet
[Rule] client_address=HRSubnet url.domain=monster.com url.domain=hotjobs.com deny . . . [Rule] deny
Note: Refer to Volume 11: ProxySG Content Policy Language Guide for details about CPL and how transactions trigger the evaluation of policy file layers.
This chapter discusses Policy Substitution realms, which provide a mechanism for identifying and authorizing users based on information in the request to the ProxySG.
Topics in this Chapter
This chapter includes information about the following topics:
❐ "About Policy Substitution Realms"
❐ "Creating a Policy Substitution Realm" on page 170
❐ "Configuring User Information" on page 171
❐ "Creating a List of Users to Ignore" on page 173
❐ "Configuring Authorization" on page 174
❐ "Defining Policy Substitution Realm General Properties" on page 174