If create a realm and turn BASIC, NTLM and KERBEROS on, is there a way in CPL or VPM to limit which of these methods can be used based on source IP or destination URL/category?
For example, can rules be created in an auth layer that says, "If these sources, allow BASIC" in rule 1, and thenin rule 2 have a default, "if any other source, use NTLM and KERBEROS only"?
Release : 7.3.7.1
Component : Default-Sym
The authenticate object can only specify a realm, cannot specify auth method.
We can create multiple realms with same domain, but with different auth method(s) enabled.
For example,
realm1,
name: IWAdirect1; domain: mydomain; allow basic, ntlm, kerberos
realm2,
name: IWAdirect2; domain: mydomain; allow basic
in the policy, (for same layer, if rule 1 matched, rule 2 will not be evaluated, so order the rules in same layer from more specific to more generic)
rule 1, (allow basic only)
if source1, authenticate(IWAdirect2)
rule 2,
any source, authenticate(IWAdirect1)