03-12-2020 05:35 AM
Hi,
I have a use case where shared computers are distributed through the company floor. These shared computers are "always logged in" with a generic domain account.
We want employees to be able to use the internet on the shared computers by providing their individual domain accounts.
I created a policy to block access to all URLs for the generic domain user. So when an employee opens the browser, they are presented with the block page and the option to "Reauthenticate with a different user".
This works fine if the Identification profile is using IP surrogate, but creates a problem that after that employee leaves the station, their account is still associated with the IP address of that station and a second user could browse with the first user's identity.
The solution was to configure "Session Cookie" surrogate for the shared computers. The problem is that with session or persistent cookie surrogate, when the user clicks on "Reauthenticate with different user", then provides the credentials, the browser still uses the cookie with the first (generic) account to authenticate to the proxy, and the connection gets blocked.
Is there any way to use session cookie with the reauthentication feature?
03-12-2020 09:41 AM
Hi,
Try the following:
- use session cookie and have the user close the browser before reauthentication, see if it works
- use persistent cookie and configure the "Surrogate Timeout", have the user just reauthenticate, see if it works
Regards,
Cristian Matei.
03-12-2020 10:04 AM
Thank you for the reply.
When the close the browser with the session cookie, then re-open it, the hole process repeats. They get the "Blocked" page with the button allowing for re-authentication but when new credentials are provided the browser still sends the previously generated credentials cookie.
With Persistent cookie the behavior is the same, after they get the block page, the browser saves the authentication cookie with the generic user credentials and keeps using it even when a new user authenticates.
03-12-2020 11:55 AM
Hi,
Are you using both IP address and cookie surrogates?
Regards,
Cristian Matei.
03-12-2020 12:11 PM
Only one at a time.
It looks like the solution is to make sure the traffic is dencrypted for both, the generic user account and the authenticated account. After making this change I'm getting better results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide