1 2 Previous Next 14 Replies Latest reply on Feb 20, 2012 3:15 AM by pkonitz

    username in access log

      Hi,

       

      quick question about how MWG handles authentication logs.

      Authentication rule works just fine but I had to add exception about google sync (why its not supporting proxy authentication I dunno !!! shame GOOGLE !!! )

       

      what I see in access log is that after normal Internet traffic where user is authenticated and where the information who enters where is displayed, there are bunch of entries regarding my exception with no username information.

       

      It would be obvious if  this traffic was done before WWW which had to be authenticated. But after that when MWG creates internal records (for duration of authentication session) similar to this

      192.168.0.1,usernametest1,1234567  with some timestamps (as one of amazing guy asabban explained me).

       

      So why MWG can't map IP to username if few seconds earlier normal traffic which had to be authenticated was done?

       

      Adding the exception to authentication rule means that I loose the info about the username?

       

      regards

      Przemek

        • 1. Re: username in access log
          asabban

          Hello,

           

          I believe this is right. If a request goes through the rule engine and there is no rule to check if there is a username available, the properties will stay empty, even if a lookup into the list of known sessions would be able to fill the properties.

           

          Maybe there is a way to cause MWG to look up the username, but do not attempt to redirect the user to the Auth Server. Maybe a rule that triggers Auth.Authenticate, but has "Continue" as an action will help, but I am not sure. Maybe someone else has already done a similar setup.

           

          Best,

          Andre

          • 2. Re: username in access log
            asabban

            Hi Przemek,

             

            one of my colleagues asked me about this thread and I would like to clarify the authentication method you are using. In the post above it looks like you are using the authentication method we call "Direct Proxy Authentication", e.g. a client is sending a request, MWG is sending a 407, client is sending credentials etc.

             

            As an alternative method we offer the utilization of the so called "Authentication Server", which is also a way to authenticate users, but a completely different approach. I believe I remember from one of the eMails we exchanged you mentioned you are using the "Authentication Server" method for providing authentication to your users. The "Authentication Server" uses redirects to send unauthenticated users to a service to authenticate at (also works transparently for the users, but technique is different).

             

            Would you mind to clarify which authentication is in place on your MWG? If you are unsure, maybe you can add a screenshot of the current authentication rules. Just to make sure we are talking about the same things.

             

            Thanks!

            Andre

            • 3. Re: username in access log

              Hi Andre,

               

              Youre right, Im using "authentication Server" Rule set as displayed below (and standard NTLM authentication method)

               

              ScreenShot116.jpg

               

              ScreenShot117.jpg

               

              regards

               

              Message was edited by: pkonitz on 2/15/12 9:06:16 AM CET
              • 4. Re: username in access log

                meanwhile Ive got another question

                 

                is it possible to authenticate users but if authentication failes allow them anyway?

                • 5. Re: username in access log
                  asabban

                  Hello,

                   

                  thanks for sharing. We have a property "Authentication.Failed" which becomes true when a user tried to authenticate, but provided wrong credentials. You could try to add this to your rules.

                   

                  I have not tried this as part of an authentication server authentication so far, but I believe it should work.

                   

                  Best,

                  Andre

                  • 6. Re: username in access log
                    asabban

                    Just FYI, the idea

                     

                    "Maybe a rule that triggers Auth.Authenticate, but has "Continue" as an action will help, but I am not sure."

                     

                    should work according to our authentication masterminds. Maybe you want to try it if you are still interested.

                     

                    Best,

                    Andre

                    • 7. Re: username in access log

                      hi Andre,

                      this reply is regarding 2nd question yes?

                       

                      I tried it and Im not sure about understanding it (it didn't work btw)

                      Authentication.Authenticate has its default action "Authenticate <Default>" and its doing redirection with HTTP response code 302.

                       

                      When changing its action to "Continue" the browser stops showing dialog box for username/password  but property "authentication.authenticate" still does redirection with 302 code which is probably hard coded in it.

                       

                      So ..

                      if I want to authenticate users  normally (those who has its AD account) I need to leave this Action to "Authenticate" but when authentication fails (after 3 times as I remember) its <Default> schema displays block page with "Authentication required" so Im not able to move forward to next rule.

                       

                      BTH

                      which Authentication approach is recommended for which situations? The one using 302 redirects or when MWG asks directly the browser with 407 code? casue this redirections seems to be the MWG itself as headers show.

                       

                      this one presets when action is "Authenticate"

                      ScreenShot118.jpg

                      this one shows the same rule with action continue and it seems that there is very strange loop cause

                      MWG redirects to itself, and when browser tries to get to this plugin it receives rediretion back to its original page

                       

                      ScreenShot119.jpg

                      and after a while Firefox presets "The page isn't redirecting properly"

                       

                      Message was edited by: pkonitz on 2/15/12 12:15:33 PM CET

                       

                      OK my mistake,

                       

                      I should change the action to continue in the first rule not with "Authentication.Authenticate <NTLM>" property

                      ScreenShot116.jpg

                       

                       

                      Message was edited by: pkonitz on 2/15/12 12:20:39 PM CET
                      • 8. Re: username in access log

                        Hi Andre,

                         

                        Are you in possession of any materials  which document every possible value ofproperties which MWG uses?

                         

                        For example.

                        Following your idea I wanted to simplify the authenticationin a such a way that

                        - First try Local user database

                        Then if authentication failed - stop trying (I tried to useFailureReason property but couldn’t find what values are allowed. I tried torecord it in my own log handler rules but from there, but no such property isavailable.

                         

                        ScreenShot120.jpg

                         

                        And I need maybe a confirmation.

                         

                        Authentication.Authenticate  (method) doesn’t trigger this process. Only theAction Authenticate ?

                         

                        So for example to implement multiple layer authentication it would look sth like this

                         

                        1) Try AD

                        Authentication.Authenticate<NTLM> equals false                                              action:Continue

                        2) Try LOCALDATABASE

                        Authentication.IsAuthenticated equals false AND

                        Authentication.Authenticate<User Database>                                                    action: Continue

                        3) If not authenticated

                        Authentication.IsAuthenticated equals false                                                       action:Authenticate <Default>

                         

                         

                        First HTTP request is not authenticated so it skips 1,2 and goesdirectly to 3.

                        Authentication is triggered in step 3 (browser prompts for username and password)

                        Username and password are saved by MWG in some properties and used in rule 1 then if not successful in 2nd and so on.

                         

                        regards

                        • 9. Re: username in access log
                          asabban

                          Hello,

                           

                          a couple of questions there. I will try to cover some of the questions :-)

                           

                          1.) Direct Proxy Authentication (407) against Authentication Server (302)

                           

                          Usually this depends on how your proxy is deployed. In an explicit proxy environment, e.g. users have their browsers pointed to MWG (manually or by proxy.pac) you want to use direct proxy authentication. Once the browser knows that it uses a proxy to get to the internet, it will be capable of accepting and answering the 407 responses. This is the easiest way to authenticate, without too much overhead.

                           

                          From my experience, if there is any chance to use explicit proxy + direct proxy auth, do it. I recommend the authentication server only if necessary.

                           

                          Using the authentication server is required when the browser is not aware of a proxy on its way to the internet. So if you do any kind of transparent redirect, such as the internal transparent bridge/router modes, WCCP, policy based routing on a gateway, L2 redirect, whatever, you will have to use authentication server.

                           

                          In this case the browser is redirected to the authentication server when authentication is required. The authentication server looks like a normal web site to the browser, that requires authentication (http status code 401). So the browser thinks it authenticates against a web site and - if the web site is recognized as "trusted" or "internal" - the default browser settings allow the windows credentials to be used, so you won´t even see that you are authenticated.

                           

                          So basically:

                           

                          - Use explicit proxy (a lot better to troubleshoot) and direct proxy auth if possible

                          - Only use the transparent modes + auth server if required

                          - Convince people to invest the additional efforts to switch to an explicit proxy environment, instead of just putting transparent MWGs into en existing environment, because it looks easier

                           

                          Note: This is my personal opinion - of course all other implementations work well.

                           

                          If you did troubleshooting for a while on various environments you will probably think similar :-)

                           

                          2.) What triggers the authentication process

                           

                          This is a little more complicated. Basically the authentication process (which is basically sending a 407 or a 302) is initiated by the Authenticate action. Authentication.Authenticate is used to look up existing credentials and compare them against a directory.

                           

                          The credentials MWG got are stored into Auth.RawCredentials (if I remember correctly). For your example rules the "Auth.Authenticate" rules will take the credentials from the RawCredentials property, and sent them against the directory configured in the Auth.Authenticate property. If the directory accepts the credentials, the property becomes true. Otherwise it becomes false. So you assumption is correct - you check the known credentials against all the directories and - in case all directories said "no" - you call the Authenticate action. This will make sure the browser is asked to authenticate, and once authentication is done the process starts from the beginning.

                           

                          Best,

                          Andre

                          1 of 1 people found this helpful
                          1 2 Previous Next