LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

September 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS September 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Problems with use of Guest account
From:	Bill Davis <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Sun, 18 Sep 2005 14:27:40 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (119 lines)

I did some playing around with the "require users to be certified at every
web login" option and I have found the following:

If a Role has this option set, it will remove the entry from the certified
list when the user either logs out, times out from the logged in users, or
is kicked off, regardless of the original Role that was used to put the
entry in the certified list.

The major concern is that the Guest account can be used to circumvent any
requirements of another role.  Probably the same can be said for any
combination of Roles, where one Role does not require certification at each
login and the user has access to multiple roles.

My questions are at the bottom, but the details are in the following
discussion.  I apologize for the long posting. Read on if interested.

Scenarios:

  Guest Role requires certification at each login.  Guest log in using the
    web interface.  There are no requirements for Guest Role but it has
    limited access (ports 80 and 443)

  Student Role does NOT require certification at each login, the intent is
    to clear the certified list once per week using the certified devices
    timer.  Students log in using the CCA-agent.  There are a number of
    requirements that the Student Role must meet. Role has unlimited access.

  User logs in as Guest, entry is put in certified list
  User logs out of Guest, entry deleted from certified list

  User logs in as Student, system scanned, entry is put in certified list
  User logs out of Student, entry is NOT deleted from certified list
  All subsequent Student logins, system is NOT scanned, given access to net

  User logs in as Guest, entry is put in certified list, has limited access.
  User logs in as Student, system is NOT scanned, given full access to net
  User logs out as Student, entry is NOT deleted from certified list
  All subsequent Student logins, system is NOT scanned, given full access
    to net until Guest entry removed from certified list.

  User logs in as Student, system scanned , entry is put in certified list
  User logs out of Student, entry is NOT deleted from certified list
  User logs in as Guest, entry in certified list not changed to Guest Role
  User logs out as Guest, removes Student Role entry from certified list

Additional Notes:

Regardless of the Role in the certified list, the online user role does
  use the correct traffic control for that role.

If both Guest and Student require certification at each login, then the
  certified list entry is removed at each logout, regardless of Role.

My design goal is to require certification of Guests at each login, and to
require Students to certify once each week.

I found that after some period of time, on-line users are removed from the
list automaticially, rather than through the timed clearing of the certified
list. If the Student is required to certify at each log in, then their entry
is removed from the certified list when they "timeout" and the system must
be rescanned at the next login. (Not such a bad thing, but not our design.)

If I could get the on-line timeout and the clearing of the certified list to
coincide, then I could set the Student Role to require certification at each
login with minimal impact on our design goal.

Questions:

Is there a specific setting that controls how long users are considered on-line?

Does anyone else use this configuration and do you see the same response?

Any suggestions for achieving our design goal?

-Bill
William S. Davis
Network Security Administrator
Housing Technology Services
Colorado State University
[log in to unmask]

On Fri, 16 Sep 2005 22:43:33 -0400, King, Michael <[log in to unmask]> wrote:

>In:
> Device Management > Clean Access > General Setup
>
>Student Role
>
> is "Require users to be certified at every web login " checked?
>
>If you want to experiment, does the behavior return if you check that
button in your guest role?
>
>________________________________
>
>From: Perfigo SecureSmart and CleanMachines Discussion List on behalf of
Bill Davis
>Sent: Fri 9/16/2005 8:01 PM
>To: [log in to unmask]
>Subject: Problems with use of Guest account
>
>
>
>I just discovered a major hole in the way our configuration is set.  I am
>not sure if this is just a mis-configuration on our part, so any suggestions
>are appreciated.  I am on version 3.5.5, and agent 3.5.7.
>
>Situation:
>
>If a user logs on using the Guest Role via the Web interface and then uses
>the Clean Access Agent (after already installing it) to log on a second time
>with a different Role, the system is not subject to the Clean Access Agent
>certification rules and gives access as the new role to the user without
>being scanned as required by that new role.

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU