Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 1862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device authenticates instead of user

Attila KEREKES

Hi!

We're using web category filtering with Active Directory groups. The proxy logs show that sometimes the user's devices are authenticating on proxy instead of user. The access rights are set to the users, not the devices. Because of this the proxy blocks the traffic when the authentication is performed on behalf of the device. Is there a solution so that web traffic initiated in a browser only authenticates on behalf of the user?



This thread was automatically locked due to age.
  • +1

    The request is authenticated and that user is assumed to be correct for several minutes.  Roughly every four minutes it is reauthenticated.

    If the first authentication request is actually by the Windows system itself (for example Windows Update) then windows will send the computer name as the user.  Because that is the user for that request.  It will consider it that user until reauthentication.  On reauth hopefully it is authenticating a real user request and then the logged in user will switch to the real one.  Note: reauthentication will never switch from a user to a computer.

    For most customers that means you might get a little bit of wrong auth, but it automatically correct itself and then stays corrected.  As far as I know due to background data most customers have the user authenticated for days.  That means an initial authentication only happens infrequently.

    You could potentially disallow all computers from logging in.  Then if the first requests to Windows Update (for example) would be blocked.  When real user requests come in it would authenticate correctly with a user, and then Windows Update would work.  I've never done this and am curious to see if it would work.  You would need to go to the computer user that is created on the XG, edit and...  I think set Network Traffic to None.

    Alternately set a firewall rule that applied to user and groups and put in all your computers.  Give them a limited web policy.  Or if you want you can use the same firewall rule and web policy, just set the rules within the web policy user to apply to users and groups as you see appropriate.

Unfiltered HTML