cancel
Showing results for 
Search instead for 
Did you mean: 
jont717
Level 12

Users stuck in authentication TTL

Jump to solution

Web Gateway 7.1.0.2

We use transparent authentication and have our TTL set to 10 hours.  So, our users authenticate once in the morning and that is it all day.

If a user signs onto a computer in the morning with one domain account, uses the web, signs out of that computer, then signs into the same computer with another domain name, the first domain name still shows up in the gateway logs for 10 hours. 

This causes issues for users with special access to certain sites.  If someone logs into their computer first thing in the morning and uses the web, their user name gets stuck in the web gateway all day. The second person to log on the same computer never gets registered and is using the first persons domain name all day.

This seems like a bug to me. This also does not provide acurate logs in the Web Reporter.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

Hi Jon,

This is not a bug, this is expected behavior. To give you a better idea of how the auth server works see below:

-UserA (10.1.1.10) makes a request to the Web Gateway (over WCCP)

-Web Gateway sees a request from 10.1.1.10, it then checks against its authentication server database to see if there is a valid (time-based)session for that IP.

If 10.1.1.10 has a valid session (session is defined by your TTL value)

     Continue with username associated with session and allow request to continue on to other rules

Else

     Authenticate the user and set session time (this will store the username/IP/"expires-at time" into a database).

Speaking to your example, you may want to decrease the TTL value if the environment has shared workstations.

This is different from direct proxy environments which uses proxy authentication (performs authentication for every new connection).

There is also cookie authentication which would perform what it sounds like you want, the browser would have a cookie stored which would be limited to that user.

Hope this helps, just thought I'd get a quick answer out.

~Jon

0 Kudos
13 Replies
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

Hi Jon,

This is not a bug, this is expected behavior. To give you a better idea of how the auth server works see below:

-UserA (10.1.1.10) makes a request to the Web Gateway (over WCCP)

-Web Gateway sees a request from 10.1.1.10, it then checks against its authentication server database to see if there is a valid (time-based)session for that IP.

If 10.1.1.10 has a valid session (session is defined by your TTL value)

     Continue with username associated with session and allow request to continue on to other rules

Else

     Authenticate the user and set session time (this will store the username/IP/"expires-at time" into a database).

Speaking to your example, you may want to decrease the TTL value if the environment has shared workstations.

This is different from direct proxy environments which uses proxy authentication (performs authentication for every new connection).

There is also cookie authentication which would perform what it sounds like you want, the browser would have a cookie stored which would be limited to that user.

Hope this helps, just thought I'd get a quick answer out.

~Jon

0 Kudos
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

I wasnt clear on one thing; whether a user logs in or out of their PC does not control the username the Web Gateway sees them as. Logging in or out of a PC is not something the Web Gateway has knowledge of.

~Jon

0 Kudos
jont717
Level 12

Re: Users stuck in authentication TTL

Jump to solution

So what you are saying is that it looks for an IP address in the cache?  Not a user name?

0 Kudos
jont717
Level 12

Re: Users stuck in authentication TTL

Jump to solution

And my next question would be - how can we reset the TTL cache for specific IP addresses then so users can re-authenticate?

0 Kudos
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

Correct, the Web Gateway stores the IP, and associates it with a username and "expiresat" time. This creates the session. It does not have the username at that point.

One your next question, you can always create rules with differing criteria. See screenshot below:

authserver_2011-08-31_111056.png

Let me know if this answers your question, or if you were asking for something else.

~Jon

0 Kudos
jont717
Level 12

Re: Users stuck in authentication TTL

Jump to solution

I am looking for a way to clear the TTL cache for certain users.

Where is this TTL cache stored?  Is there a way to reset it?

Thanks!

0 Kudos
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

Hi again Jonanthan,

No way currently to "destroy" the session for a particular user (though I have a FMR filed for to create an "event" to destroy one ).

~Jon

0 Kudos

Re: Users stuck in authentication TTL

Jump to solution

That would be really nice feature if you could force a user/all to reauthenticate via the GUI. 

0 Kudos
McAfee Employee

Re: Users stuck in authentication TTL

Jump to solution

Well essentially thats what the event would allow for, except not from the GUI. But you could create a rule that includes the event to destroy all sessions for example.

Jonathan, does this help make sense of how the "Authentication Server" works?

~Jon

0 Kudos