Internet Related/Filtering/Firewall Thread, School Guardian... in a boarding school.. Authetication help! in Technical; OK, here's the problem we have.
School Guardian seems to be working nicely for all the PCs connected to our ...
School Guardian... in a boarding school.. Authetication help!
OK, here's the problem we have.
School Guardian seems to be working nicely for all the PCs connected to our AD Domain using NTLM Authentication.
Unfortunately we are a boarding school so we have kids who have their own laptops that aren't connected to the domain, but just use the internet connection, and we would like to filter them as well.
Ideally, I'd like them, when they try to connect to the internet on their own PCs to get a log-in screen from School Guardian where they add their School network credentials and get filtered then according to which AD group they are in. I know in theory this can be done, but I can't seem to get the hang of pushing out PAC scripts or WPAD so that they look at the filter. Instead they just get no connection to the internet at all.... Bearing in mind that they could be using PCs or Macs, IE, Firefox, Safari (or anything else) whats the best way to do this... and how?!
Alternatively, I'd just like to get their PCs to go through the SG as Unathenticated IPs with a policy applied as a blanket to the Unathenticated IPs group. If I set Unathenticated IPs to Unfiltered, they can access the internet without filtering by the SG as you would expect (fortunately we have secondary filtering by our ISP). Now, if I set Unathenticated IPs to Filtered, it just stops them getting to the internet completely instead of applying the policies I have set for Unauthenticated IPs (I presume they can't see the proxy?)
Of course the other problem is that we also have guests who need to access to the internet a lot as well so instead of authenticating them (and therefore having to create usernames and passwords for them in AD), the Unathenticated IP with filtering option makes sense...
If I'm set to NTLM Authentication and have Unathenticated IPs set to filtered, then any unauthenticated PCs that try to access the web don't get as far as the filter logs (as far as I can tell)... e.g. my iphone web browser just says "Cannot Open Page - Safari cannot open the page because the server cannot be reached" - and other users get the Diagnose connection page in IE.
Although I might be looking in the wrong logs to find what you want!
Interestingly though, if I set authentication to No User Authentication and set Unauthenticated IPs to Filtered. Everyone is happily connecting to the web and being filtered by the policies set for Unauthenticated IPs.
OK, got it pretty much sorted with the help of one of Smoothwall's support guys.
My DHCP wasn't giving out the full domain name (just giving out CSM instead of CSM.local) -although it still seemed to resolve OK when we pinged initially - and we changed from using NTLM Auth to NTLM Ident.
All pretty much working as I expect now, except that anyone using Safari as their browser is asked to provide a username and password (Firefox and IE are working fine) - although as this is just using NTLM ident then they can add any username without a password and it will accept them and push them through the Unauthenticated IP group. This is fine as they are unauthenticated in the sense of not being a member of the domain, but it seems strange that IE and Firefox can push through a username from the PC automatically but Safari can't. Typical Apple... has to work differently!?
Got it all sorted in the end. Now happily working with NTLM Authentication.... and the kids will have to put their network username and password into the browser on their own laptops when they want to browse....
Thanks for getting RobF's trick onto our UTM. It may be worth noting howeverm that the trick doesn't work with IE (only Firefox and Safari) as IE tries to send through the local PCs domain instead if its not on the networked domain. So IE users still have to use DOMAIN/USERNAME instead of just USERNAME.
If you guys can figure a way around that I'd be mighty impressed.