04-29-2009 03:07 PM
We are using transparent domain authentication, so the user credentials are passed through to authenticate/log/report the end users web activity. Problem is, we have a couple generic accounts on some of the multi-user PCs (500+ hosts) for our nurses to use, so that they don't have to windows login everyt time they need to document something, the PC is just left logged in (restricted and locked down, of course)
We need to be able to report on those staff members though, and we can't remove internet access, and we can't force them to windows login as themself (corporate policy, they say it takes to long)
So, the question is, is there a software client that will prompt the generic machines to log into ironport when they try to access internet resources? We still want to maintain the pass-thru authentication for everyone else, just make it prompt for the machines that are logged in as a generic user. It would be WAY simpler to deploy a client software them manually reconfigure every one of those network ports to a separate VLAN/Subnet.
Any other ways to make this happen?
Thanks in advance for your good news :)
04-30-2009 03:52 PM
From the WSA perspective, the only way to differentiate these shared computers vs. the regular users, is via subnet / IP.
They wouldn't necessarily have to all be assigned to a new subnet, they'd just need static IPs.
You can enter all of the IPs into a custom identity that uses basic credentials (NTLM basic or LDAP).
There is no proxy client software that we can provide.
04-30-2009 04:32 PM
I guess we will set up a different VLAN for our regular users and then set our filters up. Thank you for your reply...
04-30-2009 05:42 PM
We are very close to releasing the 6.0 version of the WSA code, which has a feature called "re-authentication" which may help in your case.
Basically, you set up the generic accounts that these workstations are logged into Windows as to have no web privileges. With the new feature, the "block" page from the WSA will have a button the user can push to provide their authentication credentials directly in the browser. We designed it in response to some of our other health care customers who have almost exactly your requirements. Best part - no client software needed!
04-30-2009 05:58 PM
Like next month? next 3 months? it sounds perfect and no work on my part other than the upgrade, I think I can handle that :D
05-01-2009 03:09 PM
Ah! Yeah, the re-auth should work rather nicely in your case!
6.0 is scheduled for release in, oh... 4 days, but don't quote me on that =)
It's an unofficial ETA, but we expect it to be release in the very near near future.
05-05-2009 08:37 PM
I just acquired teh update, and I think this will work just fine :) I will have to do some testing of course, but it looks perfect.
05-13-2009 09:18 PM
The button to reauthenticate is working very well, and we have our SSO working so it clicks that button and signs in for them.
Now, the question is, can we change the text on the notification page so that our nurses wont be confused where it says "This Page Cannot Be Displayed"
Is there anyway to edit that page? I believe it is automatically generated, I am thinking if there is a path to that template, i could maybe edit it directly?
OR, we could link to a custom page, but how would we get the reauthentication button? Is there a direct link to call the login box? It looks like the URL it calls is different everytime...
05-18-2009 03:49 PM
Jtruxton,
You can combine the custom EUN pages with re-authentication. Please see page 244 in the 6.0 User Guide for how to enable custom EUN pages.
The values for enabling reauth in a custom page is %r and %R. Please see the code below for an example:
I can't seem to get this forum page to display code without messing it up...
If you send me an email to josh @@ ironport .. com I'll send you sample code which works.
This will present a generic button for re-auth. Note that in order for this to be displayed, re-auth will need to be enabled from the authentication settings.
05-18-2009 05:40 PM
Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me... Hoping you can help with a snippet of code :D
05-20-2009 10:42 PM
Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me... Hoping you can help with a snippet of code :D
05-21-2009 03:07 PM
I did not receive your email for some reason. Please try sending another one to me.
05-21-2009 03:22 PM
Hi Josh, not sure why that email didn't work.. Anyhow, I did get a reply to my case from a fellow name Madhura, and it detailed teh correct code snippet, I am putting it inot the page now to see if this will get it to work as we hope. Thanks for all your time, I am optimistic that this will solve the issue we are having.
05-26-2009 06:57 PM
This solution worked, we are getting ready to deploy, thank you for your time :)
05-27-2009 03:10 PM
Great!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide