Configuring local realm Authentication for management console access on ProxySG

book

Article ID: 165595

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Sample instructions to setup a local realm with users and user groups assigning one group R/W access and the other Read-Only access.  

Resolution

How to configure local access policy via VPM. Sample configuration used for this document:

Local users and groups have to be created through the command line interface (CLI):


1. Login to Proxy SG via SSH and enter enable mode:

sg>

sg>en

Enable Password:

sg#


2. Create a new userlist, which is where users’ usernames, passwords, and associations with groups will be stored:

sg# conf t

Enter configuration commands, one per line.  End with CTRL-Z.

sg#(config) security local-user-list create sgusers

sg#(config) security local-user-list edit sgusers


3. Create the two user groups to the realm: 

sg#(config local-user-list sgusers) group create sgadmins

sg#(config local-user-list sgusers) group create sgtechs


4. Create the two admin users, then edit their password and group membership:

sg#(config local-user-list sgusers) user create admin1

sg#(config local-user-list sgusers) user create admin2

sg#(config local-user-list sgusers) user edit admin1

sg#(config local-user-list sgusers admin1) password adminsys1

sg#(config local-user-list sgusers admin1) group add sgadmins

sg#(config local-user-list sgusers admin1) exit

sg#(config local-user-list sgusers) user edit admin2

sg#(config local-user-list sgusers admin2) password adminsys2

sg#(config local-user-list sgusers admin2) group add sgadmins

sg#(config local-user-list sgusers admin2) exit


5. Create the two tech users, then edit their password and group membership:

sg#(config local-user-list sgusers) user create tech1

sg#(config local-user-list sgusers) user create tech2

sg#(config local-user-list sgusers) user edit tech1

sg#(config local-user-list sgusers tech1) password teksys1

sg#(config local-user-list sgusers tech1) group add sgtechs

sg#(config local-user-list sgusers tech1) exit

sg#(config local-user-list sgusers) user edit tech2

sg#(config local-user-list sgusers tech2) password teksys2

sg#(config local-user-list sgusers tech2) group add sgtechs

sg#(config local-user-list sgusers tech2) exit


6. Confirm that the users were added correctly by reviewing the Local Realm User List, then exit this section.

sg#(config local-user-list mysgusers) view

 
7. exit:

sg#(config local-user-list sgusers) exit

8. Create the local Realm and import the userlist into it:

sg#(config) security local create-realm localsgrealm

sg#(config) security local edit-realm localsgrealm

sg#(config local localsgrealm) local-user-list mysgusers

sg#(config local localsgrealm) exit


9. You have finished the CLI portion of setting up the Local realm, exit the CLI completely.

sg#(config)exit

sg# exit

10. Login to the SG Management Console as the admin user, confirm that the localrealm is there, go to:

                Configuration > Authentication > Local

 

                Local Realms  should list the local realm created through the CLI: localsgrealm

 

 11. Confirm the userlist was imported into the Realm, click on the Local Main tab: 

 

12. Create two rules, one for each group by going into the Visual Policy Manager:

        Configuration > Policy > Visual Policy Manager

 And add a new Admin Access Layer:

                Right click on Source > Select Set > New > Group…

                Enter the name of the administrators group (sgadmins)

 

Then press OK. 

Note: you will not be able to browse the realm to choose a group, the name of the group has to be entered manually and has to match one of the groups created through CLI in the previous steps.

13. Tell the rule what level of access that group will have:

right click on Action column and select

“Allow Read/Write Access”

OK

14. Repeat the same process for the sgtechs group, for this example this group will have Read-only access.

       Now the Admin Access Layer should look like this:

15. Next add a new Admin Authentication Layer.

16. If you want to limit access to the Proxy SG Management Console a specific IP address, subnet or hostname:

Right click on source > Set > New

Client IP/Subnet

IP Address 10.10.10.10 (example only)

Subnet mask: 255.255.255.255 (example only)

Close > OK

17. Next is to require authentication to the local realm created through the CLI:

Right click on Action > Set > New > Authenticate

                The realm created through the CLI should be available from the pulldown list

OK > OK

18. The Authentication Layer should look like this now:

19. Click on Install Policy, should install successfully with no warnings.

20. Test the setup:

Logout of the Management Console and login again, at pop-up login prompt enter one of the tech logins to test the  (read only access)

To confirm this user only has read access try making a change to any of the proxy settings, for example:

Configuration > General > Identification

Change the Appliance name to something else – notice the Apply button is grayed out and cannot be used:

 

 

 

Attachments