Authentication Methods Basics

What is Authentication?

Authentication is required for user resolution. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server (For example, logging into your Google account.) If the credentials match, the process is completed and the user is granted authorization for access.

Authentication is both a method and a source. This document will discuss authentication as a method. To learn about Authentication Sources, click here.

What is the Purpose of Authentication?

User resolution through authentication supplies the Web Filter with the user credentials in order to provide the end user with the proper policy assignment and reporting. The User Agent is often the most accurate (especially in environments where a single device might have multiple IPs) and the most seamless for the user (avoiding the need for web authentication) method of user resolution. Agent-less user resolution can inaccurately report tracking when a device has multiple or changing IPs (the Rocket only knows the IP that was in use when the user logged in).

Once a user has authenticated, either automatically through the User Agent, or manually from a captive portal, access page, or RADIUS, the web filter can use Rule Sets and Assignments to determine whether to allow or block web content.

Note: If a user is not associated with a specific rule set, the Web Filter uses the Default web filter rule set.

Why does Authentication Matter?

Authentication plays a key role in Web Filter reporting and user management. Users that are not authenticated may not get the right policies. In addition, web traffic from unauthenticated users makes many Web Filter reports difficult to read, as the web traffic is not directly associated with a unique username or IP address.

Authentication Methods

Here are the four primary methods of User Resolution. These methods can be combined in various ways to create the solution that best fits your school district’s needs. (All of our authentication methods will integrate with the school district’s Active Directory, Open Directory, eDirectory, LDAP or local users database. Multi-directory environments are also fully supported.)

  • User Agent: This agent installed on computers provides transparent authentication for these devices. Because this is a client-side agent, it can also provide the Web Filter with IP information for all the interfaces on the device. Learn more about User Agents.
  • LMA: Starting with Web Filter 3.x, the LMA Agent replaces the PC User Agent as your all-purpose method of user resolution.  Customers who are upgrading to or using Rocket Web Filter 3.2 need to use the Lightspeed Management Agent (LMA) as their PC user agent. You can learn more about the LMA here.
  • Captive Portal/Web Authentication: This agentless authentication works well in all environments. Similar to what you would see at a hotel or WiFi hotspot, with this enabled users are forced to identify themselves prior to accessing the Internet. This will work in all environments with any client device. Learn more about the Captive Portal here.
  • Domain Controller User Agent: The agent can be installed on Microsoft Active Directory Domain Controllers to supply the Rocket Web Filter with user information when a user logs in our out of the network. Learn more about our DC User Agent.
  • Lightspeed Rocket RADIUS Integration: For environments utilizing user authentication through RADIUS when users connect to the school district WiFi, the Rocket appliance can be set up as an accounting server with the Wireless RADIUS system. This is ideal for BYOD environments where a variety of personally owned devices are connecting. Learn more about configuring your Rocket for RADIUS integration here.

Authentication Method by Device

The following table identifies which method of user resolution you should use with each unique device.

Device Recommended Method
Mac Laptops/Desktops Mac User Agent
PC Laptops/Desktops Captive Portal, RADIUS
Chromebooks ChromeOS Extension Agent
Android Devices Captive Portal, RADIUS
iOS Devices RADIUS, Captive Portal
Windows Devices PCUA (WF v2.x), LMA (WF v3.x), Captive Portal, RADIUS

Authentication Methods Pro/Con

Web Authentication/Captive Portal

Works with any device with a web browser

  • Benefits: Universal support
  • Issues: Requires end user interaction; IP changes require additional captive portal login User Agents/LMA (Lightspeed Management Agent)
    Available for Windows, Mac, ChromeOS.

User Agents

  • Benefits: Completely transparent to the end user; highly reliable with network transitions
  • Issues: Agent needs to be deployed, which is challenging for BYOD environments

Domain Controller Agent

Available for Active Directory–based networks

  • Benefits: Agents need to be deployed only to domain controllers
  • Issues: Admins only know about information that reaches the domain controller; can have challenges in mobile environments due to cached credentials and IP changes; cannot provide resolution for devices that do not log into Active Directory (iPads, Chromebooks)

RADIUS

Available for any device that connects to an authenticated (802.1X/NAC) network

  • Benefits: No agent to install, transparent to the end user
  • Issues: Requires network support for NAC or 802.1X

Additional Resources

Please refer to our User Identification Explained whitepaper for an in-depth explanation of authentication and user resolution.