The Policy Substitution realm is used typically for best-effort user discovery, mainly for logging and subsequent reporting purposes, without the need to authenticate the user. Be aware that if you use Policy Substitution realms to provide granular policy on a user, it might not be very secure because the information used to identify the user can be forged.
The realm uses information in the request and about the client to identify the user. The realm is configured to construct user identity information by using policy substitutions.
If authorization data (such as group membership) is required, configure the realm with the name of an associated authorization realm (such as LDAP or local). If an authorization realm is configured, the fully-qualified username is sent to the authorization realm’s authority to collect authorization data. You can use policy substitutions realms in many situations. For example, a Policy Substitution realm can be configured to identify the user:
❐ based on the results of a NetBIOS over TCP/IP query to the client computer.
❐ based on the results of a reverse DNS lookup of the client computer's IP address.
❐ based on the contents of a header in the request. This might be used when a downstream device is authenticating the user.
The realm is configured the same way as other realms, except that the realm uses policy substitutions to construct the username and full username from
information available in and about the request. Any policy substitution whose value is available at client logon can be used to provide information for the name. The Policy Substitution realm, in addition to allowing you to create and
manipulate realm properties (such as the name of the realm and the number of seconds that credential cache entries from this realm are valid) also contains attributes to determine the user's identity. The user's identity can be determined by explicitly defining the usernames or by searching a LDAP server. The
following two fields are used to determine the user's identity by definition:
❐ A user field: A string containing policy substitutions that describes how to construct the simple username.
❐ A full username field: A string containing policy substitutions that describes how to construct the full username, which is used for authorization realm lookups. This can either be an LDAP FQDN when the authorization realm is an LDAP realm, or a simple name when local realms are being used for authorization.
If no policy substitutions exist that map directly to the user's simple and full usernames but there are substitutions that map to attributes on the user on the LDAP server, the user's identity can be determined by searching the LDAP server. The following fields are used to determine the user's identity by LDAP search:
❐ LDAP search realm: The LDAP realm on the ProxySG that corresponds to the LDAP server where the user resides
❐ Search filter: An LDAP search filter as defined in RFC 2254 to be used in the LDAP search operation. Similar to the explicitly defined username and full username fields, the search filter string can contain policy substitutions that are available based on the user's request. The search filter string must be escaped according to RFC 2254. The policy substitution modifier
escape_ldap_filter is recommended to use with any policy substitutions that could contain characters that need to be escaped. It will escape the policy substitution value per RFC 2254.
Note: The user field and username field must include at least one
substitution that successfully evaluates in order for the user to be considered authenticated.
Note: The search filter must include at least one substitution that successfully evaluates before the LDAP search will be issued and the user authenticated.
❐ User attribute: The attribute on the search result entry that corresponds to the user's full username. If the search result entry is a user entry, the attribute is usually the FQDN of that entry. The user's full username is the value of the specified attribute. If the attribute value is an FQDN, the user's simple username is the value of the first attribute in the FQDN. If the attribute value is not an FQDN, the simple username is the same as the full username.
Remember that Policy Substitution realms do not require an authorization realm. If no authorization realm is configured, the user is not a member of any group. The effect this has on the user depends on the authorization policy. If the policy does not make any decisions based on groups, you do not need to specify an authorization realm. Also, if your policy is such that it works as desired when all Policy Substitution realm users are not in any group, you do not have to specify an authorization realm.
After the Policy Substitution realm is configured, you must create policy to authenticate the user.
Example
The following is an example of how to use substitutions with Policy Substitution realms.