Authenticate by User not Client IP?

[athenatech]

I'm dealing with a slightly unusual set of circumstances with a client who wants to require all employees to login for internet access and have all of their activity logged while online. Part of the network is typical - windows domain with xp workstations for office staff. The tricky part is logging user access on a single ubuntu netbook they use for the drivers who come and go all day. I thought captive portal would require each user to logn each time they open a browser, but I see now the first person who authenticates through captive portal bypasses that machine's IP for the timeout period, such that each subsequent user is not required to login, and their activity online is presumably associated with the first user who logged in. The ubuntu box is not authenticating to the windows DC, so the report plugin may not be logging the user name correctly either.

Aside from shortening the captive portal timeout period for the entire network, is there a method for requiring each user who logs into this box to also authenticate with captive portal each time? It seems like this would require captive port to authenticate by user instead of client IP, and I see no mention of how to enable that in the wiki. Im open to suggestions. We cant have the first user leaving the door open for everyone who comes after him on this box during the timeout period.

[dmorris]

Aside from shortening the captive portal timeout period for the entire network, is there a method for requiring each user who logs into this box to also authenticate with captive portal each time? It seems like this would require captive port to authenticate by user instead of client IP, and I see no mention of how to enable that in the wiki. Im open to suggestions. We cant have the first user leaving the door open for everyone who comes after him on this box during the timeout period.

You can easily require a username on the captive page.

The trick will be writing some script to tell untangle to log out the previous user. Captive Portal doesn't just magically know when the previous user has walked away from the keyboard so it doesn't know to log that user out. You need to write a script that calls logout.php with a curl or wget command and then you need to figure out when to run that script.

something like

Code:

#!/bin/sh
curl http://untangle_ip/users/logout &> /dev/null

[athenatech]

CP is configured to request both a name and pw to login. The problem is as you said CP adds the IP to the bypass list for the specified timeout period, and thus during that time any number of other users can logon to their machine account but are not forced to login to CP. I assumed CP was setting a cookie so that when the browser was closed the session would be cleared and the next user opening the browser would have to reauthenticate. Maybe I could get a script of some kind to run when the system logs the user off based on the idle timeout? The script could log the same user off CP perhaps. I believe I could put something in /etc/gdm/PostSession if I knew what would log that client out of CP.

[f1assistance]

CP is configured to request both a name and pw to login. The problem is as you said CP adds the IP to the bypass list for the specified timeout period, and thus during that time any number of other users can logon to their machine account but are not forced to login to CP. I assumed CP was setting a cookie so that when the browser was closed the session would be cleared and the next user opening the browser would have to reauthenticate. Maybe I could get a script of some kind to run when the system logs the user off based on the idle timeout? The script could log the same user off CP perhaps.

A security gateway is just that, a guard to allow or continue to deny, traffic from an IP assigned device. This is clearly why RADIUS or AD is the next level of choice for greater authentication. They authenticate a user and resource access.
This is a similar reason why you don't want your edge device to be a file server. It’s just too risky...too many times our convenience is also convenient for the threat we’re defending against.
We must be careful not to put all our security eggs in one basket; separate security layers we know are in-convenient obstacles and may be the difference between a hacker’s success and failure…
Untangle is one BAD-ASS sentinel!

[athenatech]

You need to write a script that calls logout.php with a curl or wget command and then you need to figure out when to run that script.

something like

Code:

#!/bin/sh
curl http//untangle_ip/users/logout &> /dev/null

Thanks for the tip - works like a top. I put the script in /etc/gdm/PostSession and it logs the client IP out of CP when the user logs out of the machine account. This is forcing each user to login each time they get on the machine. Now if I could figure out why the reports aren't logging any activity for users when they're logged into CP browsing - but that's for another thread.

[dmorris]

Thanks for the tip - works like a top. I put the script in /etc/gdm/PostSession and it logs the client IP out of CP when the user logs out of the machine account. This is forcing each user to login each time they get on the machine. Now if I could figure out why the reports aren't logging any activity for users when they're logged into CP browsing - but that's for another thread.

Does directory connector show the correct IP<->username mapping when users are logged in?

[athenatech]

Does directory connector show the correct IP<->username mapping when users are logged in?

It does for machines that only have one user logging in, but several machines have multiple users logging into their roaming profile. Even when it does map the IP to the correct user theres no history of that users activity online anywhere in the reports that I'm aware of. CP shows authentication activity but I need a list of each web site visited by the employee while he's online. We also want to show if the user tried to access a site blocked by web filter. I guess this may be beyond the capability of CP and web filter?

[dmorris]

Theres only one username per IP by definition.
Its an 1:1 IP<->username map.

Untangle, is a gateway and so it just sees IP traffic. IP uses IP addresses. There is no "username" attached to IP traffic so it deduces the username from the IP username map in directory connector.

[athenatech]

Theres only one username per IP by definition.
Its an 1:1 IP<->username map.

Untangle, is a gateway and so it just sees IP traffic. IP uses IP addresses. There is no "username" attached to IP traffic so it deduces the username from the IP username map in directory connector.

Right I'm starting to see I probably need to find another solution - something like a web proxy with user authentication. I thought mistakenly that CP with its user authentication would associate each user login to a web session, but what it's really doing is looking strictly at the IP of the machine the user is authenticating from. I guess I need to put something else in between the UT box and the workstations to log web access. Any suggestions?

[dmorris]

Yeah probably makes more sense. Especially if all you care about is port 80.
I don't know of anything, no.