You cant... Ultimately Untangle routes traffic based on the IP address. The login process is just filling a table of names to addresses that the device then uses to route. It will take some light proxy/session tracking with cookies to make it truly user driven. To be honest that's the next logical step, and along the way Untangle will likely end up with a caching proxy too.
CP doesn't change user based policies... All it provides is another way to build that ad table.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Ok, fair enough. Then, in this way I could see the Captive Portal being a service instead of in the rack. Though, I believe we need a few tweaks to Captive Portal to really work right. The following should be settable options, and we should be able to set these options per IP, Subnet, etc:Originally Posted by sky-knight
1.) If a user is already logged in through the AD connector, the Captive Portal should detect this and not present the captive portal page at all. If they are not logged in through the AD connector they would get the captive portal with the option to force a disclaimer onto the user.
2.) For those that want to display a "disclaimer", for no matter who is logged in: if a user is already logged in through the AD connector, the Captive Portal should detect this and only present the disclaimer page. If the user isn't already logged in through the AD connector, then the Captive Portal would present a login with disclaimer.
This would make the Captive Portal complete from our standpoint. This would create a smooth experience.
#1 would allow users who are already logged in via Active Directory, access to the Internet without having to deal with the captive portal. For most of our clients, this is how they would want it. They don't want to add an extra step for their people. They would want the Captive Portal for guests and/or new computers that have not yet been added to the domain. For those who are captured, an optional disclaimer could be presented.
#2 Would allow our clients to provide a disclaimer for everyone. For those already logged in through the ad connector, it would only display the disclaimer. For those who are not logged in through the ad connector, it would provide both a logon and the disclaimer.
Thoughts?
interesting conversation and some neat ideas, but the reality is the captive portal is integrated in the kernel, not in the virtual network inside the untangle-vm. This means that it is a system-wide singleton. Its not just a user interface issue, it has to be a service because its a singleton.
Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
Oooh, I need to get this so I can try out AD groups. The lack of group information in the AD connector has stopped us from ever using it. It might work for us now, although I guess we still need to push out the AD script to every user in our company. That shouldn't be a big deal, though.
Has anyone tried it out? Can you say anything about how it is implemented?
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
We're still at 7.1.0. Do I need to upgrade to 7.1.1 before 7.2 will show up as available, or can we upgrade directly from 7.1.0 to 7.2?
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
Instead of deploying the script, why not just use captive portal to identify the users?
And I think AD groups works great but I'd love you feedback.
Lastly, yes you will need to upgrade to 7.1.1 in order to get to 7.2.
Why aren't you on 7.1.1?
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
Simple question -- is 7.2 RC1 the same as 7.2 stable, or do we know yet?
cheers--
bob in sunny silicon valley
Captive portal is not a replacement for the AD Connector/Script. 100% of my clients would be pissed off if they had to login to the captive portal, instead of automatically being logged on via the login script. Captive portal is great for:
1.) those that are not logged on via Active Directory.
2.) Disclaimer for environments that require it.
3.) Guest subnets
4.) Public access points
5.) Linux workstations
Captive portal does not interest me in any way. We have way too many users who would complain about it, and we also have dozens of devices that need unattended Internet access, so then I'd have to figure out all of those, give them static IP addresses and then create exceptions for them. Not fun. I don't think management would even consider using the captive portal at this point.
I don't really have a good reason for not being on 7.1.1. I seem to recall reading some people having problems with it and when I looked at the change log it didn't seem to fix anything that applied to us, so I just haven't bothered with it. We seem to have issues with upgrades that happen automatically. The last two have stopped Internet access until I manually reboot the server, so I have automatic upgrades turned off.
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
Doesnt the script just notify the UT box what the username is and what IP they are using? It in no way does any kind of authentication.
We will require each and every person to login to get to the internet. Each company may do it differently. I agree they should be able to just read the agreement and click OK to get past. This at least records they agreed to the terms.
Lannie
Posting Permissions
LinkBack URL
About LinkBacks