This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple Users On One Computer

Hello,

I have searched for this but haven't had any luck. I may be wording it wrong so please forgive me if this is asked and answered. Here is my scenario. I have Sophos UTM 9.2 with Active Directory and SSO. Everything seems to be working great with one issue. I have two computers for my kids that my wife and I sometimes use. For some reason the filter policy on these PC's (this is actually a problem on all PC's but I'm really concerned about these two) will only keep the policy for the first user logged in. For example when the PC is setup and I log my son in his filter profile is applied to the PC and it will not change to my profile if I log him out and back in. this means that when I'm surfing on his PC I can not visit any sites that are not kid friendly. This also applies to my personal Laptop. I cannot let one of my kids login with their account because they will still have my filter profile attached to the laptop and can therefore visit any site they want. Am I missing something in the configuration that's supposed to keep this from happening? I was under the impression that the profile was applied to the user based on AD authentication and that it would change the profile based on the user that's authenticated. Thanks in advance for the help!

This thread was automatically locked due to age.

0 Ross86 over 11 years ago

Are these PCs and yours all on the same subnet? It will be based on the allowed networks you have specified in the profile and then if you have set allowed AD users as well.

Have you tried the policy test tool on the UTM? You can enter the source IP and usernames to test the result.
Cancel
Vote Up 0 Vote Down

Cancel
0 marioacklin over 11 years ago

Hello, thanks for the reply. The PC's are all on the same subnet, but I also have the other subnets added to the filter policy. When I do the policy test it works as expected. It's almost like whatever authentication method that's being used by the browser and SSO is being cached on the machine and it's not re-checking when a new user logs in and opens a new browsing session.

I don't want to have it ask for a username and password so I am happy with the transparent proxy but it would be nice if I could figure out this last piece.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ross86 over 11 years ago

That seems strange can you take a screenshot of the profile and policy config just so we can get a clearer picture? Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 marioacklin over 11 years ago

These are the policies that I have applied to my VLAN's. Let me know if you need more specifics.

Policies.zip
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

I think the authentication cache for AD-SSO is five minutes. Could that be your issue?

Cheers - Bob

Sorry for any short responses. Posted from my iPhone.
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 11 years ago

Bob is right, but It would be strange if that is the issue, because auth cache should be user, not IP related (in my understanding).

Anyway, you can test this easily...logoff and than clear authentication cache on UTM (Definition & Users -> Authentication services -> Global). Logon again with different user and post results back here.

"A successful login is usually stored for 300 seconds to reduce the load on the directory servers. Cached authentication information can be flushed to force a new login to the directory service."

Also open Web Filtering live log and watch for user="DOMAIN\username" in logged lines.
Cancel
Vote Up 0 Vote Down

Cancel
0 marioacklin over 11 years ago

Hello, sorry for the slow response I have had a busy work week. I will try this suggestion tonight and post back. Thanks you all for the replies.
Cancel
Vote Up 0 Vote Down

Cancel
0 marioacklin over 10 years ago

Hello, I eventually ended up re-configuring my rules and now it seems to be working. I had moved my configuration from an old PC to a new VM and I'm thinking everything may not have restored correctly or I failed to change some of the old information. Everything seems to be working as expected now. Thanks everyone!
Cancel
Vote Up 0 Vote Down

Cancel

0 solae over 10 years ago

I've the same problem. I configured the UTM for SSO an created a authentication Server with AD.

Created a Backend Group for the Admins.

Filtering settings: Everything allowed for Admins, any others are Denied.

Now, if i'm loggin in with a User on a PC everything is blocked --> OK
But then i'm loggin in with the Admin there is also everything blocked. The Web Filter log shows the User not the Admin. Why?

Webfilter log (first login with user "marcelmueller")

2015:02:04-19:53:37 fw01 httpproxy[14987]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.45.50" dstip="" user="marcelmueller" ad_domain="ADDOMAIN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3179" request="0x132a6000" url="www.msftncsi.com/ncsi.txt" referer="" error="" authtime="70" dnstime="0" cattime="34587" avscantime="0" fullreqtime="44153" device="1" auth="2" ua="Microsoft NCSI" exceptions="" category="105" reputation="trusted" categoryname="Business" reason="category"

Webfilter log (second Login with user "Administrator" on the same PC)

fw01 httpproxy[14987]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.45.50" dstip="" user="marcelmueller" ad_domain="ADDOMAIN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3179" request="0x12ded000" url="www.msftncsi.com/ncsi.txt" referer="" error="" authtime="71" dnstime="0" cattime="271" avscantime="0" fullreqtime="10218" device="1" auth="2" ua="Microsoft NCSI" exceptions="" category="105" reputation="trusted" categoryname="Business" reason="category"

Webfilter log (first Login with user "Administrator" on an other PC)

2015:02:04-19:51:42 fw01 httpproxy[14987]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.45.51" dstip="179.60.192.3" user="administrator" ad_domain="ADDOMAIN" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x13e7b800" url="www.facebook.com/.../ping

Why?

Edit: after some time (i think about 15 Minutes) the user changes in the Webfilter log and everything works. But this shouldn't happen isn't it?

0 BAlfson over 10 years ago

What you're seeing is the authentication cache in action - it associates an IP to a user so that it doesn't have to authenticate the user for every line in the log. The default time is 300 seconds. I think it only can be changed at the command line. Here's the current value:
cc get http auth_cache_ttl

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel