User Tools

Site Tools


auth_user50

User authorization types

Authorization by IP.

Most frequently used authorization type is using IP-address.

It is used in cases, when LAN users have static IP-addresses or dynamic IP-addresses strictly associated with MAC-addresses. User gets access to external network for all protocols and conforming to global and personal rules and conditions set.

In order to provide user with the IP-address it is necessary to select username in the list of users. The information page for this user will be opened.

After that select “IP/MAC address” tab, click “Add” and set address, assigned to this user.

After that assigned address will appear in the list of user addresses. Each user could be assigned any number of IP-addresses. It is also possible to assign range of addresses to user in the format “address/prefix”.

Warning! IP-address could be easily hijacked. Malicious user could impersonate another user by changing network settings on his personal computer. In order to prevent this - use MAC-address lock function.

Authorization by MAC.

This type of authorization is convenient when network uses dynamic addresses, but ICS CUBE is not used as DHCP server. In order to assign MAC-address to a user go to “IP/MAC address” tab and click “Add” - MAC:

Login/password authorization.

If a user has been supplied with username and password during creation, this user can get Internet access by configuring proxy server address 192.168.17.123 and port 3128 (default values) in browser settings.

During the attempt to use Internet ICS CUBE will prompt the user to supply username/password. This is called “Login/password authorization”.

Authorization process can use 2 mechanisms:

  • By user login and password - user, who created HTTP-query will receive pop-up window for entering its credentials (username and password) and will receive the query results after successful identification/authentication;
  • By domain - user, registered in Active directory will be automatically authorized on Proxy server.

Second mechanism is only possible, when ICS CUBE system is connected to Active Directory domain and users have been imported from the domain.

Warning! When using “username/password” authorization type the user will not be able to use ICQ, mail, bank-client and other programs, which are not using HTTP.

Simultaneous work with two types of authorization.

It is possible to assign some users with login/password authorization type and some with IP authorization.

In this case ICS CUBE applies “IP authorization” first, followed by “Username/Password authorization”:

1. IP-address of the user is checked first of all. Users with known IP-addresses are allowed.

2. If user has proxy settings set in its browser - he will be prompted to enter username/password pair. Users who have successfully authenticated themselves are allowed.

3. All the rest of the users are blocked.

More detailed description of authorization sequences is provided in proxy-server settings part.

Other authorization types.

In order for user with dynamic IP-address to authorize by login/password and be permitted to access external network without any limitations it is necessary to use xauth or web-authorization.

In order to speed up user creation process - import function is used.

After user has been created it is possible to assign access rules to the user.

Terminal server user authorization.

All users using Terminal Server cannot be differentiated by ICS CUBE in thier network queries because all such queries originate from a single Terminal Server IP-address. Therefore in order to have separate statistical reports and apply per-user access settings it is necessary to specify proxy-server in the browser settings for each of the Terminal Server users. In this case every user will be registered under his own login and queries coming to the proxy server will be identified for each of the Terminal Server user.

auth_user50.txt · Last modified: 2020/03/14 22:59 by zog