topic Any type of agent/client that makes end users authenticate? in Web Security

Any type of agent/client that makes end users authenticate?

Jtruxton_ironport — Wed, 29 Apr 2009 22:07:39 GMT

We are using transparent domain authentication, so the user credentials are passed through to authenticate/log/report the end users web activity. Problem is, we have a couple generic accounts on some of the multi-user PCs (500+ hosts) for our nurses to use, so that they don't have to windows login everyt time they need to document something, the PC is just left logged in (restricted and locked down, of course)

We need to be able to report on those staff members though, and we can't remove internet access, and we can't force them to windows login as themself (corporate policy, they say it takes to long)

So, the question is, is there a software client that will prompt the generic machines to log into ironport when they try to access internet resources? We still want to maintain the pass-thru authentication for everyone else, just make it prompt for the machines that are logged in as a generic user. It would be WAY simpler to deploy a client software them manually reconfigure every one of those network ports to a separate VLAN/Subnet.

Any other ways to make this happen?

Thanks in advance for your good news 🙂

Re: Any type of agent/client that makes end users authenticate?

jowolfer — Thu, 30 Apr 2009 22:52:21 GMT

From the WSA perspective, the only way to differentiate these shared computers vs. the regular users, is via subnet / IP.

They wouldn't necessarily have to all be assigned to a new subnet, they'd just need static IPs.

You can enter all of the IPs into a custom identity that uses basic credentials (NTLM basic or LDAP).

There is no proxy client software that we can provide.

Dang, i was afraid of that

Jtruxton_ironport — Thu, 30 Apr 2009 23:32:47 GMT

I guess we will set up a different VLAN for our regular users and then set our filters up. Thank you for your reply...

Re: Any type of agent/client that makes end users authenticate?

David Paschich — Fri, 01 May 2009 00:42:01 GMT

We are very close to releasing the 6.0 version of the WSA code, which has a feature called "re-authentication" which may help in your case.

Basically, you set up the generic accounts that these workstations are logged into Windows as to have no web privileges. With the new feature, the "block" page from the WSA will have a button the user can push to provide their authentication credentials directly in the browser. We designed it in response to some of our other health care customers who have almost exactly your requirements. Best part - no client software needed!

how close is very close?

Jtruxton_ironport — Fri, 01 May 2009 00:58:44 GMT

Like next month? next 3 months? it sounds perfect and no work on my part other than the upgrade, I think I can handle that 😄

Re: Any type of agent/client that makes end users authenticate?

jowolfer — Fri, 01 May 2009 22:09:19 GMT

Ah! Yeah, the re-auth should work rather nicely in your case!

6.0 is scheduled for release in, oh... 4 days, but don't quote me on that 😃

It's an unofficial ETA, but we expect it to be release in the very near near future.

Just downloaded it

Jtruxton_ironport — Wed, 06 May 2009 03:37:17 GMT

I just acquired teh update, and I think this will work just fine 🙂 I will have to do some testing of course, but it looks perfect.

works....but here is a question

Jtruxton_ironport — Thu, 14 May 2009 04:18:17 GMT

The button to reauthenticate is working very well, and we have our SSO working so it clicks that button and signs in for them.

Now, the question is, can we change the text on the notification page so that our nurses wont be confused where it says "This Page Cannot Be Displayed"

Is there anyway to edit that page? I believe it is automatically generated, I am thinking if there is a path to that template, i could maybe edit it directly?

OR, we could link to a custom page, but how would we get the reauthentication button? Is there a direct link to call the login box? It looks like the URL it calls is different everytime...

Re: Any type of agent/client that makes end users authenticate?

jowolfer — Mon, 18 May 2009 22:49:14 GMT

Jtruxton,

You can combine the custom EUN pages with re-authentication. Please see page 244 in the 6.0 User Guide for how to enable custom EUN pages.

The values for enabling reauth in a custom page is %r and %R. Please see the code below for an example:

I can't seem to get this forum page to display code without messing it up...

If you send me an email to josh @@ ironport .. com I'll send you sample code which works.

This will present a generic button for re-auth. Note that in order for this to be displayed, re-auth will need to be enabled from the authentication settings.

Re: Any type of agent/client that makes end users authenticate?

Jtruxton_ironport — Tue, 19 May 2009 00:40:57 GMT

Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me... Hoping you can help with a snippet of code 😄

Re: Any type of agent/client that makes end users authenticate?

JennieMorton — Thu, 21 May 2009 05:42:00 GMT

Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me...  Hoping you can help with a snippet of code   😄

I'm sorry the WSA User Guide didn't help much. The piece of code Josh sent you will be included in the WSA User Guide for the next release.

Re: Any type of agent/client that makes end users authenticate?

jowolfer — Thu, 21 May 2009 22:07:29 GMT

I did not receive your email for some reason. Please try sending another one to me.

Re: Any type of agent/client that makes end users authenticate?

Jtruxton_ironport — Thu, 21 May 2009 22:22:20 GMT

Hi Josh, not sure why that email didn't work.. Anyhow, I did get a reply to my case from a fellow name Madhura, and it detailed teh correct code snippet, I am putting it inot the page now to see if this will get it to work as we hope. Thanks for all your time, I am optimistic that this will solve the issue we are having.

Re: Any type of agent/client that makes end users authenticate?

Jtruxton_ironport — Wed, 27 May 2009 01:57:37 GMT

This solution worked, we are getting ready to deploy, thank you for your time 🙂

Re: Any type of agent/client that makes end users authenticate?

jowolfer — Wed, 27 May 2009 22:10:10 GMT

Great!

Re: Any type of agent/client that makes end users authenticate?

Jtruxton_ironport — Fri, 29 May 2009 02:41:43 GMT

OK, soooo...... I didn't care about this new twist personally, but the boss wanted to find out if this could be done. The issue, when our end users click the button to reauthenticate for a website that we very specifically block (example: facebook.com) it brings the login prompt back up, 4 times, before teh user gets the denied page. Is there a way to limit how many times the user is prompted for differnt credentials? I figure it might be based on the limit of failed attempts to the domain, but I could be wrong. Anyhow... what do you think? 🙂

Thanks!