Chapter 3: Condition Reference
73
• Applies to proxy and administrator transactions.
• This condition cannot be combined with the authenticate( ), proxy_authentication( ), or
socks.authenticate( ) properties.
Examples
; Test if user is authenticated in group all_staff and specified realm.
realm=corp group=all_staff
; This example shows sample group tests for each type of realm. It does
; this by creating a condition in CPL that treats a group of administrators in
; each realm as equivalent, granting them permission to administer the Security
; Appliance. Recall that the <Admin> layer uses a whitelist model by default.
define condition RW_Admin
realm=LocalRealm group=RWAdmin
realm=NTLMRealm group=xyz-domain\cache_admin
realm=LDAPRealm group=”cn=cache_admin, ou=groups, o=xyz”
; The RADIUSRealm uses attributes, and this can be expressed as follows:
realm=RADIUSRealm attribute.ServiceType=8
end condition RW_Admin
<admin>
client.adress=10.10.1.250/28 authenticate(LocalRealm)
client.adress=10.10.1.0/24 authenticate(NTLMRealm)
client.adress=10.10.2.0/24 authenticate(LDAPRealm)
client.adress=10.10.3.0/24 authenticate(RADIUSRealm)
<admin>
allow condition=RW_Admin admin.access=(READ||WRITE)
See Also
• Conditions: attribute.name=, authenticated=, has_attribute.name=,
http.transparent_authentication=, realm=, user=, user.domain=
•Properties: authenticate( ), authenticate.force( ), check_authorization( ),
socks.authenticate( ), socks.authenticate.force( )