Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
1
Replies

Blocking Certain Authenticated Users (Privileged) From The Internet

Go to solution
bernard.f.bryant
Level 1
Level 1

‎02-10-2017 11:14 AM

Is it possible to develop rules within a WSA to block authenticated privileged users from accessing the Internet?  A network engineer believes that the previous security team had this working in the past (over two years ago), but none of the team remain in the organization.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ana Peric
Cisco Employee
Cisco Employee

‎02-14-2017 03:34 AM

Hi Bernard,

The question here is: how do you define "Authenticated privileged users"?

In general, let us assume we are forcing authentication (thus you have Authentication-based Identification Policy).

If you create new AD group that will contain "all the authenticated users that you wish to block", you can easily make the access policy to:

- Use authentication identity

- Match your AD group of "blocked.users

- Access policy will in essence "Block all protocols" and show the EUN page

I hope this is what you had in mind, if not, please clarify what type of users you want to block, but in essence logic would be the same.

Cheers,
Ana

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ana Peric
Cisco Employee
Cisco Employee

‎02-14-2017 03:34 AM

Hi Bernard,

The question here is: how do you define "Authenticated privileged users"?

In general, let us assume we are forcing authentication (thus you have Authentication-based Identification Policy).

If you create new AD group that will contain "all the authenticated users that you wish to block", you can easily make the access policy to:

- Use authentication identity

- Match your AD group of "blocked.users

- Access policy will in essence "Block all protocols" and show the EUN page

I hope this is what you had in mind, if not, please clarify what type of users you want to block, but in essence logic would be the same.

Cheers,
Ana

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents