1 2 Previous Next 19 Replies Latest reply on Feb 18, 2011 8:14 AM by ittech

    Auto-logon for guests

    ittech

      Is there any way I could set a rule that states if a user authentication fails to automatically log them in as a guest account located in a local user database?

        • 1. Re: Auto-logon for guests

          That depends. Are you going to make it prompt and enter a guest account password when authentication fails?

          • 2. Re: Auto-logon for guests
            ittech

            To open up an extremely large can of worms...our situation is as follows. For the LAN, we have the Transparent Bridge with an Authorization Server that checks against our AD. We were just recently "strongly suggested" to put up WiFi open to the public that passes through the LAN & MWG7 on the way to the internet. Finally, we have VPN clients that pass through the MWG7 and currently have to enter in their name and password on a prompt like this:

             

            prompt.PNG

             

            Ideally, I would like seperate authentication for each method of reaching the internet.

             

            The WiFi clients NAT to 172.23.42.7 and I would like a rule that autmatically logs them on as a guest accout located on a local user databse.

             

            Also, the VPNs proxy to the MWG7 on port 3128 and I would like to attempt to pick up their authentication through NTLM if possible.

             

            I can zip my backup file or an html if anyone want to see what I've already attempted at (andn failed!).

            • 3. Re: Auto-logon for guests

              Instead of using a local guest account, why not exclude your clients that are NATed to 172.23.42.7 from authentication?

              • 4. Re: Auto-logon for guests

                > The WiFi clients NAT to 172.23.42.7 and I would like a rule that automatically logs them on as a guest account located on a local user database.

                 

                What I'm saying is, If you assign these users an account, they need to have a password. If you want to have it prompt so they must enter some generic guest account password, then yes, you can do that by putting a condition around the Client.IP that only checks the User database when they come from that IP. If you do this, they will be prompted, but it sounds like that's NOT what you want.

                 

                If you don't want prompted on the WiFi, then I have to ask, what's the difference between authenticating everyone from the same guest account and not authenticating them at all. The only functional difference is the "username" or "-" in the logs. And then assign a set of categories for that IP without authentication.


                Which VPN client is it? It sounds like the client itself does not know how to negotiate NTLM to a proxy. MWG would challenge the client with NTLM, but if the client software cannot understand it, it would only respond with BasicAuth. It doesn't sound like the proxy itself can do much about it, but the client software isn't programmed to understand NTLM negotiation like a browser does. If you know the destination address that the VPN clients connect to, you can bypass authentication for that destination only. That, too, will only show "-" as the user in the logs.

                • 5. Re: Auto-logon for guests
                  ittech

                  We have a Content Filter setup for Unauthenticated users. The problem is somewhere along the way the MWG7 won't allow an unauthenticated user to browse the internet.

                  • 6. Re: Auto-logon for guests
                    ittech

                    Guest users on the WiFi is just how it was presented to me by my director, and most likely he would like a Guest or something similar in the logs. I've tried the Set.Authentication.RawCredentials rule as suggested in the Product Guide, but the appliance is still prompting for credentials and/or not accepting the guest acct in the rule. My entire rule set is attached.

                    • 7. Re: Auto-logon for guests

                      We've had very good luck using the Try-Auth ruleset.  This allows us to implement separate rules for authenticated and unauthenticated users.  However, if you don't want your unauthenticated users to browse the Internet, you could exclude your NAT IP for WiFi clients from the rule that is blocking the unauthenticated users.

                      • 8. Re: Auto-logon for guests
                        ittech

                        I have excluded the NAT IP, yet the appliance still prompts for credentials. The only reason I can determine this would be happening is because the MWG7 is inline with our internet connection, so all traffic passes through it, but I'm not sure.

                        • 9. Re: Auto-logon for guests
                          ittech

                          Sorry I missed your question. It's a Cisco VPN client and they definitely need to be filtered by their usernames.

                           

                           

                          Message was edited by: ittech on 1/12/11 3:19:08 PM EST
                          1 2 Previous Next