Any type of agent/client that makes end users authenticate?

Unanswered Question
Apr 29th, 2009

We are using transparent domain authentication, so the user credentials are passed through to authenticate/log/report the end users web activity. Problem is, we have a couple generic accounts on some of the multi-user PCs (500+ hosts) for our nurses to use, so that they don't have to windows login everyt time they need to document something, the PC is just left logged in (restricted and locked down, of course)

We need to be able to report on those staff members though, and we can't remove internet access, and we can't force them to windows login as themself (corporate policy, they say it takes to long)

So, the question is, is there a software client that will prompt the generic machines to log into ironport when they try to access internet resources? We still want to maintain the pass-thru authentication for everyone else, just make it prompt for the machines that are logged in as a generic user. It would be WAY simpler to deploy a client software them manually reconfigure every one of those network ports to a separate VLAN/Subnet.

Any other ways to make this happen?

Thanks in advance for your good news :)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jowolfer Thu, 04/30/2009 - 15:52

From the WSA perspective, the only way to differentiate these shared computers vs. the regular users, is via subnet / IP.

They wouldn't necessarily have to all be assigned to a new subnet, they'd just need static IPs.

You can enter all of the IPs into a custom identity that uses basic credentials (NTLM basic or LDAP).

There is no proxy client software that we can provide.

Jtruxton_ironport Thu, 04/30/2009 - 16:32

I guess we will set up a different VLAN for our regular users and then set our filters up. Thank you for your reply...

David Paschich Thu, 04/30/2009 - 17:42

We are very close to releasing the 6.0 version of the WSA code, which has a feature called "re-authentication" which may help in your case.

Basically, you set up the generic accounts that these workstations are logged into Windows as to have no web privileges. With the new feature, the "block" page from the WSA will have a button the user can push to provide their authentication credentials directly in the browser. We designed it in response to some of our other health care customers who have almost exactly your requirements. Best part - no client software needed!

Jtruxton_ironport Thu, 04/30/2009 - 17:58

Like next month? next 3 months? it sounds perfect and no work on my part other than the upgrade, I think I can handle that :D

jowolfer Fri, 05/01/2009 - 15:09

Ah! Yeah, the re-auth should work rather nicely in your case!

6.0 is scheduled for release in, oh... 4 days, but don't quote me on that =)

It's an unofficial ETA, but we expect it to be release in the very near near future.

Jtruxton_ironport Tue, 05/05/2009 - 20:37

I just acquired teh update, and I think this will work just fine :) I will have to do some testing of course, but it looks perfect.

Jtruxton_ironport Wed, 05/13/2009 - 21:18

The button to reauthenticate is working very well, and we have our SSO working so it clicks that button and signs in for them.

Now, the question is, can we change the text on the notification page so that our nurses wont be confused where it says "This Page Cannot Be Displayed"

Is there anyway to edit that page? I believe it is automatically generated, I am thinking if there is a path to that template, i could maybe edit it directly?

OR, we could link to a custom page, but how would we get the reauthentication button? Is there a direct link to call the login box? It looks like the URL it calls is different everytime...

jowolfer Mon, 05/18/2009 - 15:49


You can combine the custom EUN pages with re-authentication. Please see page 244 in the 6.0 User Guide for how to enable custom EUN pages.

The values for enabling reauth in a custom page is %r and %R. Please see the code below for an example:

I can't seem to get this forum page to display code without messing it up...

If you send me an email to josh @@ ironport .. com I'll send you sample code which works.

This will present a generic button for re-auth. Note that in order for this to be displayed, re-auth will need to be enabled from the authentication settings.

Jtruxton_ironport Mon, 05/18/2009 - 17:40

Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me... Hoping you can help with a snippet of code :D

JennieMorton Wed, 05/20/2009 - 22:42

Hi Josh, I sent you an email, i was reading the manual there but it didn't make much sense to me...  Hoping you can help with a snippet of code   :D

I'm sorry the WSA User Guide didn't help much. The piece of code Josh sent you will be included in the WSA User Guide for the next release.
jowolfer Thu, 05/21/2009 - 15:07

I did not receive your email for some reason. Please try sending another one to me.

Jtruxton_ironport Thu, 05/21/2009 - 15:22

Hi Josh, not sure why that email didn't work.. Anyhow, I did get a reply to my case from a fellow name Madhura, and it detailed teh correct code snippet, I am putting it inot the page now to see if this will get it to work as we hope. Thanks for all your time, I am optimistic that this will solve the issue we are having.

Jtruxton_ironport Thu, 05/28/2009 - 19:41

OK, soooo...... I didn't care about this new twist personally, but the boss wanted to find out if this could be done. The issue, when our end users click the button to reauthenticate for a website that we very specifically block (example: it brings the login prompt back up, 4 times, before teh user gets the denied page. Is there a way to limit how many times the user is prompted for differnt credentials? I figure it might be based on the limit of failed attempts to the domain, but I could be wrong. Anyhow... what do you think? :)



This Discussion