AD Connector + Policy

far182 · 12-03-2008, 12:00 PM

I found an issue. I am not sure how to solve.

We have setup Untangle with the AD Connector and Policy.

People who are logged in and are users of Active Directory go into a rack called "Employees".
Servers (which have an IP range of 192.168.1.10-15) go through their own rack called "servers".
All other devices that don't fit into the above go into the "default" rack.

The above works perfectly for servers and workstations. What it doesn't work well with is Laptops. Laptops use "cached credentials" for the Microsoft Windows AD network. If they didn't, laptop users would never be able to login to their laptops when away from the office.

So the problem happens when a user logs into their laptop without being connected to the network. Then.... they connect to the corporate network (like locally on premise). When this happens the Untangle login script is never run. Without running the login script, the laptop user is now not going through their correct rack.

Anyone else face this problem yet? If not, I bet there has to be plenty of people who are going to realize they have this problem now... Anyone have a solution?

sky-knight · 12-03-2008, 12:56 PM

Yes I have this issue. My largest customer runs almost ALL laptops on their internal network. The login script not only fires the UT integration module but also a sync backup of local profile information to a server.

The only way I have found to fix this is to create a shortcut to the login script that fires both the backup and the vbs for Untangle onto their desktops. And train the users to double click the icon when they connect.

The Enterprise solution for this is called NAC (Network Access Control) and it simply won't let them onto the LAN without a full AD login. So when they just plug in.. it doesn't work until they have logged out and back in again.

Alternately you could have a local login script on the box assigned in group policy that pings the untangle IP every so many seconds and if it gets a response fires up the login script...

Anyway you slice it, this issue is a PITA!

dmorris · 12-03-2008, 01:39 PM

is there some trigger on getting a new DHCP lease that we could use to fire off the script? that way it would run the script after getting the lease after plugging in.

just a thought...

sky-knight · 12-03-2008, 02:09 PM

Quote:

Originally Posted by dmorris

is there some trigger on getting a new DHCP lease that we could use to fire off the script? that way it would run the script after getting the lease after plugging in.

just a thought...

Possibly but for some reason that seems unMicrosoft to me.. more than likely the event fires when the card connects not when the IP changes. Still if there is an API call that does that... building the script would be rather trivial.

12-03-2008, 12:00 PM	#1 (permalink)
far182 Master Untangler Join Date: Aug 2008 URLs submitted: 1 Posts: 946	AD Connector + Policy I found an issue. I am not sure how to solve. We have setup Untangle with the AD Connector and Policy. People who are logged in and are users of Active Directory go into a rack called "Employees". Servers (which have an IP range of 192.168.1.10-15) go through their own rack called "servers". All other devices that don't fit into the above go into the "default" rack. The above works perfectly for servers and workstations. What it doesn't work well with is Laptops. Laptops use "cached credentials" for the Microsoft Windows AD network. If they didn't, laptop users would never be able to login to their laptops when away from the office. So the problem happens when a user logs into their laptop without being connected to the network. Then.... they connect to the corporate network (like locally on premise). When this happens the Untangle login script is never run. Without running the login script, the laptop user is now not going through their correct rack. Anyone else face this problem yet? If not, I bet there has to be plenty of people who are going to realize they have this problem now... Anyone have a solution?

12-03-2008, 12:56 PM	#2 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	Yes I have this issue. My largest customer runs almost ALL laptops on their internal network. The login script not only fires the UT integration module but also a sync backup of local profile information to a server. The only way I have found to fix this is to create a shortcut to the login script that fires both the backup and the vbs for Untangle onto their desktops. And train the users to double click the icon when they connect. The Enterprise solution for this is called NAC (Network Access Control) and it simply won't let them onto the LAN without a full AD login. So when they just plug in.. it doesn't work until they have logged out and back in again. Alternately you could have a local login script on the box assigned in group policy that pings the untangle IP every so many seconds and if it gets a response fires up the login script... Anyway you slice it, this issue is a PITA! __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

12-03-2008, 01:39 PM	#3 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,611	is there some trigger on getting a new DHCP lease that we could use to fire off the script? that way it would run the script after getting the lease after plugging in. just a thought... __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons