User Tools

Site Tools


auth_user

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

auth_user [2014/12/17 13:24] (current)
Line 1: Line 1:
 +=====User authorization types=====
  
 +==== Login/​password authorization ====
 +
 +If user been supplied with username and password during creation, we can get Internet access if put proxy server in the browser settings: 192.168.17.123 and port 3128.
 +
 +During the attempt to use internet ICS will ask username/​password. This is called "​Login/​password authorization"​.
 +
 +Authorization itself could be using 2 methods:
 +• By user login and password - user, who created HTTP-query will receive pop-up window for entering its credentials (username and password) and will receive its query after successful identification
 +• By domain - user, registered in Active directory will be automatically authorized on Proxy server;
 +
 +
 +
 +Second type is only possible, when system is connected to Active Directory domain and users are imported from the domain.
 +
 +**Warning. Using this authorization type will prevent usage of ICQ, mail, bank-client and other software'​s,​ which are not using http-protocol.**
 +==== Authorization by IP ====
 +
 +Most used authorization type is authorization using IP address.
 +
 +It is used in the cases, when LAN users having static IP addresses or dynamic addresses, registered with MAC-address. User get access to external network for all the protocols and according to global and personal rules and conditions set.
 +
 +In order to provide user with the IP address it is necessary to select username in the list of users. The information page for this user will be opened. After that select IP address tab, click "​add"​ and set address, assigned to this user.
 +
 +{{:​ics-user-ips-add.png|Добавление IP-адреса пользователю}}
 +
 +After that assigned address will appear in the list of user addresses. Each user could be assigned with any number of IP addresses. It is also possible to assign range of addresses to user in the format address/​prefix.
 +
 +{{:​ics-user-ips-new.png|IP-адреса пользователя}}
 +
 +** Warning! IP address could be easily high jacked. ​ Malicious user could impersonate another user by changing network settings on its personal computer. In order to prevent it - use MAC address lock function.**
 +
 +====Authorization by MAC====
 +
 +This type of authorization is convenient when network uses dynamic addresses, but ICS is not used as DHCP server. In order to assign MAC address to user, navigate to IP-addresses settings of the user and Click "Add MAC address:
 +
 +
 +{{:​user-mac-add.jpg|Добавление MAC-адреса пользователю}}
 +
 +==== Simultaneous work with two types of authorization ====
 +
 +It is possible to assign some users with login/​password authorization type and some with IP authorization.
 +
 +The sequence in this case is "IP authorization"​ followed by "​Username/​Password authorization":​
 +
 +1. IP address of the user is checked first of all. users with known IP addresses are allowed.
 +2. If user has proxy settings set in its browser - he will be asked to enter login name/​password. Users who successfully authenticate themselves are allowed.
 +3. All the rest of the users are blocked.
 +
 +More detailed description of authorization sequences are explained in proxy-server settings part.
 +
 +
 +====Other authorization types====
 +
 +In order to user with dynamic IP-address to authorize by username/​password and be allowed in the external network without any limitations it is necessary to use xauth or web-authorization.
 +
 +To speed-up user creation process - import function is used.
 +
 +After user creation it is possible to assign them with access rules.
 +
 +====Terminal server user authorization====
 +
 +All the users using Terminal Server are not different from each-other from ICS network queries prospective (same Terminal Server IP address is a source of traffic). Therefore in order to split statistical report and access settings it is necessary to specify proxy-server in the browser settings for each of the Terminal Server users. In this case every user will be registered under its own login and proxy-passing queries will be identified for each of the Terminal Server users.
auth_user.txt · Last modified: 2014/12/17 13:24 (external edit)