Good one! I'll test it specifically, but I think the logic would be: Since the source IP is matched in the Client Address Set, user authentication is unnecessary, saving processing time Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: <Thor@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, March 12, 2002 6:44 AM Subject: [isalist] Firewall Service Authentication http://www.ISAserver.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since Tom said I had the hardest questions at Blackhat, I feel like I have to ensure that they are all difficult ;) To that end, I pose the following question: Lets say you have a protocol rule to allow IP based on a client address set (IP address), and another identical protocol rule that is based on user/group. If a user meets both criteria, i.e, is in the client address set and is also a member of the group-based rule, which rule is used? AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPI4UWIhsmyD15h5gEQLXbgCgr6LZIZQ9SrxNP0Qrt+G4P6gLrpoAoLmL 6eYzkH8aa0llKFb/P1AaFygg =Q0m9 -----END PGP SIGNATURE----- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')