+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, School Guardian... in a boarding school.. Authetication help! in Technical; OK, here's the problem we have. School Guardian seems to be working nicely for all the PCs connected to our ...
  1. #1

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16

    School Guardian... in a boarding school.. Authetication help!

    OK, here's the problem we have.

    School Guardian seems to be working nicely for all the PCs connected to our AD Domain using NTLM Authentication.

    Unfortunately we are a boarding school so we have kids who have their own laptops that aren't connected to the domain, but just use the internet connection, and we would like to filter them as well.

    Ideally, I'd like them, when they try to connect to the internet on their own PCs to get a log-in screen from School Guardian where they add their School network credentials and get filtered then according to which AD group they are in. I know in theory this can be done, but I can't seem to get the hang of pushing out PAC scripts or WPAD so that they look at the filter. Instead they just get no connection to the internet at all.... Bearing in mind that they could be using PCs or Macs, IE, Firefox, Safari (or anything else) whats the best way to do this... and how?!

    Alternatively, I'd just like to get their PCs to go through the SG as Unathenticated IPs with a policy applied as a blanket to the Unathenticated IPs group. If I set Unathenticated IPs to Unfiltered, they can access the internet without filtering by the SG as you would expect (fortunately we have secondary filtering by our ISP). Now, if I set Unathenticated IPs to Filtered, it just stops them getting to the internet completely instead of applying the policies I have set for Unauthenticated IPs (I presume they can't see the proxy?)

    Of course the other problem is that we also have guests who need to access to the internet a lot as well so instead of authenticating them (and therefore having to create usernames and passwords for them in AD), the Unathenticated IP with filtering option makes sense...

    ... but how do I get it all working!

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,473
    Thank Post
    866
    Thanked 848 Times in 670 Posts
    Rep Power
    196
    Hmmm. Unauthenticated IPs trick should work. Which group do they show up as in the logs?

    We will soon (April) be releasing a new version of Guardian which lets you pick and choose authentication methods. This might help you solve some of these issues.

  3. Thanks to tom_newton from:

    Simcfc73 (24th February 2010)

  4. #3

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    If I'm set to NTLM Authentication and have Unathenticated IPs set to filtered, then any unauthenticated PCs that try to access the web don't get as far as the filter logs (as far as I can tell)... e.g. my iphone web browser just says "Cannot Open Page - Safari cannot open the page because the server cannot be reached" - and other users get the Diagnose connection page in IE.

    Although I might be looking in the wrong logs to find what you want!

  5. #4

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Interestingly though, if I set authentication to No User Authentication and set Unauthenticated IPs to Filtered. Everyone is happily connecting to the web and being filtered by the policies set for Unauthenticated IPs.

  6. #5

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    OK, got it pretty much sorted with the help of one of Smoothwall's support guys.

    My DHCP wasn't giving out the full domain name (just giving out CSM instead of CSM.local) -although it still seemed to resolve OK when we pinged initially - and we changed from using NTLM Auth to NTLM Ident.

    All pretty much working as I expect now, except that anyone using Safari as their browser is asked to provide a username and password (Firefox and IE are working fine) - although as this is just using NTLM ident then they can add any username without a password and it will accept them and push them through the Unauthenticated IP group. This is fine as they are unauthenticated in the sense of not being a member of the domain, but it seems strange that IE and Firefox can push through a username from the PC automatically but Safari can't. Typical Apple... has to work differently!?

  7. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,938
    Thank Post
    886
    Thanked 1,693 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    What happens with Firefox on a Mac?

  8. #7

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Good question... don't know. I'll go and find a Mac!

  9. #8

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Got it all sorted in the end. Now happily working with NTLM Authentication.... and the kids will have to put their network username and password into the browser on their own laptops when they want to browse....


    .... they are going to hate me... Happy Days!

  10. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,473
    Thank Post
    866
    Thanked 848 Times in 670 Posts
    Rep Power
    196
    You might want to use the "RobF trick" to stop the non-domain users needing to type DOMAIN\ - drop me a line if you need to know about that little hack

  11. #10

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by tom_newton View Post
    You might want to use the "RobF trick" to stop the non-domain users needing to type DOMAIN\ - drop me a line if you need to know about that little hack
    Cheers Tom, PM sent.

  12. #11

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Hi Tom

    Thanks for getting RobF's trick onto our UTM. It may be worth noting howeverm that the trick doesn't work with IE (only Firefox and Safari) as IE tries to send through the local PCs domain instead if its not on the networked domain. So IE users still have to use DOMAIN/USERNAME instead of just USERNAME.

    If you guys can figure a way around that I'd be mighty impressed.

    Cheers
    Adrian

  13. #12

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    Quote Originally Posted by tom_newton View Post
    You might want to use the "RobF trick" to stop the non-domain users needing to type DOMAIN\ - drop me a line if you need to know about that little hack
    Are those of us just running school guardian able to use this fix or only those with a UTM?

  14. #13


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,473
    Thank Post
    866
    Thanked 848 Times in 670 Posts
    Rep Power
    196
    @theFopp - new Auth version (April) MIGHT fix that. Not sure though.

    @ssiruuk - yes, it works on all versions!

  15. #14

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,521
    Thank Post
    1,333
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Is the new version going to allow for two different types of authentication for different types?

    eg. transparent and seamless for domain computers but, say, SSL Login screen for unathenticated IPS

  16. #15

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by RabbieBurns View Post
    Is the new version going to allow for two different types of authentication for different types?

    eg. transparent and seamless for domain computers but, say, SSL Login screen for unathenticated IPS
    Fingers and Toes crossed.... thats what I'm hoping for!

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Bloxx V School Guardian
    By park_bench in forum Network and Classroom Management
    Replies: 18
    Last Post: 12th January 2011, 08:39 PM
  2. Whats the difference between Network Guardian And School Guardian? (smoothwall)
    By j17sparky in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 25th June 2009, 01:04 PM
  3. School Guardian 08 help!!!
    By krisd32 in forum Internet Related/Filtering/Firewall
    Replies: 6
    Last Post: 1st May 2009, 04:27 PM
  4. Anyone work in a Boarding School...?
    By TheFopp in forum Internet Related/Filtering/Firewall
    Replies: 17
    Last Post: 27th March 2009, 09:01 AM
  5. School Guardian
    By tldees in forum Wireless Networks
    Replies: 3
    Last Post: 12th June 2008, 05:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •