I have configured Kerberos authentication on my MWG 22.214.171.124.0. I am using NTML to get group information. I used this guide https://community.mcafee.com/docs/DOC-2682
It works fine with domain computers where users are logged in. But then computer is not in domain or it is linux work station it prompts for user name and password. Entering legit credentials doesn’t work and prompts again and again…
With NTML authentication entering credentials worked fine.
Where could be the problem?
Or maybe it is possible to turn off prompting for non domain workstations and just block them for good?
If you have a non-domain machine, it is expected that authentication will fail.
Since they are not on the domain, the machine will not know where the DC (KDC) is, and therefore will not be able to get a ticket.
I would suggest implementing NTLM fallback or try auth.
As I understand when MWG asks workstation for Kerberos authentication, workstation must communicate with DC to get some kind of ticket, and with that ticket workstation can authenticate with MWG, am I right?
I read this discussion https://community.mcafee.com/message/260303 and I used your suggested “true ntlm fallback with kerberos v2“ rule set, but I would like to know is it possible to turn off prompting for non-domain workstations and just block them?
You can create two rules with the following criteria and action:
-Name: Try Auth for Kerberos
-Criteria: Authentication.Authenticate<Kerberos> AND Authentication.Failed equals false
-Name: Block if failed auth
-Criteria: Authentication.Failed equals true
Hi Jon n Aurimas
I have exactly the same scenario to implement authentication for Domain machines as well as Linux and MAC os.
Personally I wouldn't put the block rule. It would be good to have Linux and MAC authenticated and let them access the Internet
Is there a rule set that can be deployed to Authenticate Linux and Mac os? This will enhance the security because Usernames are captured and we can keep track of browsing activity of Linux and MAC users.
I am using present Kerberos with NTLM fallback rule to track Windows users. It is not helping Linux and Mac users.
The block rule is optional, it would help understand if a user failed authentication or not.
We have Mac's here and kerberos authentication has worked well assuming that the mac is joined to the domain.
Good point! But the challenge in my environment is that MAC pc's are not joined to the domain.
Is there a way to open specific websites for a say 1 hour only for a specific set of MAC & Linux users?? If I understand it right, unless these users are authenticated it can't be achieved. Am I right?
Do you know the best way to get this issue addressed?
Some pointers should help me
Thanks in advance