Auth + content filtering?

[Tamas FORJAN <tamas () 2fkft com>]

Hello,

I would like to know whether you know a way to implement HTTP file access
control based on file extensions and authentication.

Basically, what I would like to do is to set up different user groups for
different kinds of file access. Not everybody should be able to access MP3
files, WMA files and such. My idea is to set up groups for those people who
need access to these 'privileged' file types.

What I tried already was to set up resources to filter content, along with
partially automatic client auth. My rulebase looked the following:

Src                   Dst     Srv             Act
PrivUsers@InternalNet Any     http            ClientAuth
Any                   Any     http->mp3filter Reject
MP3Users@InternalNet  Any     http            ClientAuth

The result of the above is that PrivUsers can properly authenticate and have
access, but no users in the MP3Users group can authenticate at all. They
receive 3 different authentication windows from their browser, but at the
end, they receive the following error:

Error 401
FW-1 at wreport: Unauthorized to access the document.
Authorization is needed for FW-1.
The authentication required by FW-1 for tforjan is: unknown.
Reason for failure of last attempt:

What worries me is the 'authentication required by FW-1 for tforjan is:
unknown.' clause, because this user has a defined authentication scheme:
FireWall-1 Password.

No matter how many rules you set up, only the first authentication rule will
allow successful authentication. All the others will fail with the above
message.

Do you have any idea why?

Do you have any idea how to implement the desired functionality in any other
way?

Environment: Nokia IP440, IPSO 3.4.2, CP NG FP1.

Thank you.

--
FORJAN Tamas
Technical Support
2F 2000 Szamitastechnikai es Szolgaltato Kft.
http://www.2f.hu/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards