Internet Related/Filtering/Firewall Thread, Smoothwall / Lightspeed AD Auth Process in Technical; Hey guys, I hope this hasn't been done to death, but a quick search didn't reveal exactly what I was ...
6th May 2013, 12:55 PM #1
- Rep Power
Smoothwall / Lightspeed AD Auth Process
Hey guys, I hope this hasn't been done to death, but a quick search didn't reveal exactly what I was looking for, and I'm new to filtering management, so here it goes:
I'm wondering what the user experiences when either Smoothwall or Lightspeed box is set to authenticate with the AD. At the moment, our filtering is managed by our LEA and there's simply one web for all, and very little in the way of reporting. The benefits of AD integration seem pretty great, but I'm wondering how they affect the user.
I've read somewhere that Lightspeed uses/can use a program that submits logging info silently to the user, effectively making the process invisible - but what if it's a user's device? Will it just default to a login page? This behaviour seems preferable.
With Smoothwall, is there a way of achieving something similar? I'm a little concerned about the backlash of teachers/office staff suddenly finding a barrier to the internet.
Also, regarding both, do web sessions time out? Say a member of the office staff wasn't active for an hour, would they have to sign in again? I can see how that would get fairly annoying..
In an ideal world, the process would be totally invisible to the user on school machines, and it sounds like Lightspeed has that covered. Is Smoothwall making any ground on this front? Is this premise incorrect anyway?
All info, including links to RTFM (considering I don't have one!) will be greatly appreciated! If it isn't clear, at the moment I have a preference for Smoothwall, but Lightspeed and My Big Campus do sound interesting.
IDG Tech News
6th May 2013, 04:17 PM #2
Smoothwall will auth against ad via either ntlm or Kerberos for domain joined clients (therefore traansparent to the user) and a captive portal for non domain joined clients. Seems to work well, and be none intrusive for yhe end user and no client to install on the workstations.
The soon to be released byod function of smoothwall utm products does the same thing for non domain joined clients using 802.1x auth.
6th May 2013, 05:21 PM #3
- Rep Power
Thanks for the reply. I had no idea about that feature, and it really makes my post quite pointless - though I'd love to know more about how this is accomplished if you could point me in the right direction.
Am I right in thinking the basic process is that the UTM looks up the host name, connects to the AD and does some trickery to discover who is logged onto it? If so, I'd be interested in knowing how it achieves this - because I have no idea how to do that, and now I feel quite inadequate!
6th May 2013, 07:09 PM #4
Those methods tend to be horribly unreliable. We get the username passed to Smoothwall from the client somehow - proxies are allowed to ask for NTLM and kerberos auth, and windows & mac domain PCs can use the trusted 3rd party (AD) to make sure the conversations are kosher. Otherwise it's either some form of clientside software asking for a password (maybe once, maybe every logon) or a captive portal.
The new option RobK speaks of leverages 802.1x logins to a wifi system, so we pull the username from there then go to AD for group membership.
6th May 2013, 09:11 PM #5
Does anyone have an estimated release date for this feature in smoothwall? We're currently evaluating whether lightspeed or smoothwall would provide the best user experience for our users and integration with our existing 802.1x would be a killer feature.
Last edited by Jona; 6th May 2013 at 09:17 PM.
6th May 2013, 09:30 PM #6
You have it about right for Lightspeed. We prefer to use client side agents for accuracy and speed plus some other benifits. When a device doesn't have this method most customers prefer to fall back to web authentication, although other options can be used.
Originally Posted by Driftingashore
Host machines with agents do not time out as the agent monitors logon, logout or fast user switching events transparently, web authenticated clients can manually logout, or time out. The length of the authentication session can be defined by User, User OU, or Group.
MyBigCampus is linked to the filter, when it comes to making life easier and getting the right content to staff and students MBC is key.
Hope that helps
6th May 2013, 11:13 PM #7
It's slated to be in the early june release, i'm not PO on that project, but AFAIK it's on track and in beta with some customers @robk included.
Originally Posted by Jona
7th May 2013, 08:58 AM #8
I actually like having the audit trail which the Lightspeed client gives you.
A few times we've been asked in the past "I need to know who was sat at x machine at y time" and I wouldn't have been able to tell them particularly easy. I can now which is useful.
7th May 2013, 09:09 AM #9
@RTFM does the machine event log not tell you that anyway?
7th May 2013, 09:14 AM #10
Is it easier to do that or check a report in LS (if the machine is off, for example, you can't manage it so you'll have to manually go to it etc)? I find it much easier to see the report in LS and I can tell everything about the user from one place.
Originally Posted by robk
Just looking at the trail on my machine and it appears to miss off a lot of logoffs, the LS report has them on with a time associated to them too.
Certainly not the be all and end all when it comes to which filter to purchase but i've found it useful since we have trialled and installed LS.
Last edited by RTFM; 7th May 2013 at 09:16 AM.
7th May 2013, 09:28 AM #11
The same report is available on smoothwall, but will give different answers depending on login methods (eg. Ntlm would tell you only from the time a user started browsing)
By ADMaster in forum Internet Related/Filtering/Firewall
Last Post: 18th March 2013, 03:31 PM
By RabbieBurns in forum Hardware
Last Post: 17th April 2011, 03:31 PM
Last Post: 9th April 2010, 01:42 PM
By Michael_84 in forum Web Development
Last Post: 22nd January 2010, 12:09 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)