I did some playing around with the "require users to be certified at every
web login" option and I have found the following:
If a Role has this option set, it will remove the entry from the certified
list when the user either logs out, times out from the logged in users, or
is kicked off, regardless of the original Role that was used to put the
entry in the certified list.
The major concern is that the Guest account can be used to circumvent any
requirements of another role. Probably the same can be said for any
combination of Roles, where one Role does not require certification at each
login and the user has access to multiple roles.
My questions are at the bottom, but the details are in the following
discussion. I apologize for the long posting. Read on if interested.
Scenarios:
Guest Role requires certification at each login. Guest log in using the
web interface. There are no requirements for Guest Role but it has
limited access (ports 80 and 443)
Student Role does NOT require certification at each login, the intent is
to clear the certified list once per week using the certified devices
timer. Students log in using the CCA-agent. There are a number of
requirements that the Student Role must meet. Role has unlimited access.
User logs in as Guest, entry is put in certified list
User logs out of Guest, entry deleted from certified list
User logs in as Student, system scanned, entry is put in certified list
User logs out of Student, entry is NOT deleted from certified list
All subsequent Student logins, system is NOT scanned, given access to net
User logs in as Guest, entry is put in certified list, has limited access.
User logs in as Student, system is NOT scanned, given full access to net
User logs out as Student, entry is NOT deleted from certified list
All subsequent Student logins, system is NOT scanned, given full access
to net until Guest entry removed from certified list.
User logs in as Student, system scanned , entry is put in certified list
User logs out of Student, entry is NOT deleted from certified list
User logs in as Guest, entry in certified list not changed to Guest Role
User logs out as Guest, removes Student Role entry from certified list
Additional Notes:
Regardless of the Role in the certified list, the online user role does
use the correct traffic control for that role.
If both Guest and Student require certification at each login, then the
certified list entry is removed at each logout, regardless of Role.
My design goal is to require certification of Guests at each login, and to
require Students to certify once each week.
I found that after some period of time, on-line users are removed from the
list automaticially, rather than through the timed clearing of the certified
list. If the Student is required to certify at each log in, then their entry
is removed from the certified list when they "timeout" and the system must
be rescanned at the next login. (Not such a bad thing, but not our design.)
If I could get the on-line timeout and the clearing of the certified list to
coincide, then I could set the Student Role to require certification at each
login with minimal impact on our design goal.
Questions:
Is there a specific setting that controls how long users are considered on-line?
Does anyone else use this configuration and do you see the same response?
Any suggestions for achieving our design goal?
-Bill
William S. Davis
Network Security Administrator
Housing Technology Services
Colorado State University
[log in to unmask]
On Fri, 16 Sep 2005 22:43:33 -0400, King, Michael <[log in to unmask]> wrote:
>In:
> Device Management > Clean Access > General Setup
>
>Student Role
>
> is "Require users to be certified at every web login " checked?
>
>If you want to experiment, does the behavior return if you check that
button in your guest role?
>
>________________________________
>
>From: Perfigo SecureSmart and CleanMachines Discussion List on behalf of
Bill Davis
>Sent: Fri 9/16/2005 8:01 PM
>To: [log in to unmask]
>Subject: Problems with use of Guest account
>
>
>
>I just discovered a major hole in the way our configuration is set. I am
>not sure if this is just a mis-configuration on our part, so any suggestions
>are appreciated. I am on version 3.5.5, and agent 3.5.7.
>
>Situation:
>
>If a user logs on using the Guest Role via the Web interface and then uses
>the Clean Access Agent (after already installing it) to log on a second time
>with a different Role, the system is not subject to the Clean Access Agent
>certification rules and gives access as the new role to the user without
>being scanned as required by that new role.
|