Guest authentication policy configuration on an Edge SWG (ProxySG)
search cancel

Guest authentication policy configuration on an Edge SWG (ProxySG)

book

Article ID: 165597

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

How is guest authentication configured?
How are non-domain workstations allowed access to the Internet while authenticating domain computers?
The Edge SWG (ProxySG) appliance has transparent authentication configured for users who authenticate to the Windows Active Directory. When a user who does not have rights on the domain visits the office, it is desirable to provide them with access to Internet resources without configuring a user account for them on the domain.

Resolution

When setting up guest Authentication policy there are a couple of things that will need to be determined:

  • When guest access is permitted. In most cases, guests are only allowed if it does not require them to be authenticated.
  • Will the realms attempt to authenticate users first and fall back to guest authentication, or authenticate users as guest users without attempting authentication?

 

  1. Configure an IWA realm in the Edge SWG (ProxySG) appliance Management Console (https://<proxysg_host>:8082/ ) as per the Configuration and Management Guide for the version of SGOS being used.  The following articles will help with this.
    Setting Up IWA Direct Authentication On Edge SWG (ProxySG)
    Setting Up IWA BCAAA On Edge SWG (ProxySG)
  2. Click Configuration > Policy > Visual Policy Manager > Launch
  3. In the Visual Policy Manager, click Policy > Add Web Authentication Layer...
  4. Define a new rule with the Source and Destination set to 'Any'.  Set the Action to be a 'Combined Action Object' consisting of:
    • an 'Authenticate' object with the authentication mode of your choice, appropriate to your deployment (eg, proxy-ip, origin-ip-redirect or origin-cookie redirect).
    • a 'Permit Authentication Errors' object, with 'All Except User Credentials Required" selected, and "invalid_surrogate" deselected (if applicable; see Why do valid users get logged as guest on ProxySG; (invalid_surrogate)?).

  5. Configure a second Web Authentication Layer (using step 3 above as a template), labeled 'Guest authentication' and configure a rule in this layer as follows:

    • DO NOT define an authentication mode here.  Doing so will cause policy not to install. 
    • Define a guest userid.  This is how user requests that match this policy will appear in access logs.  This guest account does not have any correlation to accounts configured in the Windows Active Directory.
    • Set the Action in this rule to an 'Authenticate Guest Object', with the IWA realm set in the Guest Realm config portion.
    • Set the Source to 'Any User Authentication Errors'.

  6. Ensure policy ordering matches with policy best practices. With regard to these two authentication layers, position the Web authentication layer first and then to its right, the guest authentication layer. 

** As a further recommendation, web access layer rules can be defined with a source of 'guest user'.  This can allow a proxy administrator to craft rules to define where a guest user is permitted to go, while still permitting standard levels of access for all authenticated users.

 

Note: If a transaction matches both a regular authentication action and guest authentication action, the appliance attempts regular authentication first. This can result in a user challenge before failing over to guest authentication. If a user enters invalid credentials and is thus allowed guest access, they must log out as guest or close and reopen the browser if using session cookies or connection surrogates. They can then enter the correct credentials to obtain regular access.

Powered by Wolken Software