Authentication

You can require users to web authenticate before they are allowed to browse the Web. The authentication process allows Internet access for a specified time period. When the time period elapses, users must log in again before continuing.

webfulter-authentication1

The Lightspeed Systems Web Filter uses various authentication methods. Once a user logs in, the Web Filter uses the Rule Sets and Assignments to determine what types of content to allow or block. If a user is not associated with a specific rule set, the Web Filter uses the Default web filter rule set.

Captive Portal

You can use a captive portal to force HTTP clients on your network to authenticate before using the Internet. Use the Captive Portal table to restrict Internet access to the portal until authentication requirements are satisfied.
Captive Portal Table

    • Captive portal Check (select) this option to force all users to authenticate before using the Internet.
      • Exclude users reported by a User Agent, RADIUS, proxy or mobile filterCheck (select) this sub option to exclude users using the Lightspeed Systems User Agent, users authenticated by a RADIUS server, Proxy Servers users, or Lightspeed Systems Mobile Filter users.

Tip

You can create exemptions to Captive Portal settings in the Exemptions table below.

  • Capture discovery URLs – Check (select) this option to redirect users sending discovery URLs to an access page.

Access Page

AuthAccessPage

  • Authentication Check (select) to let users who have been blocked to authenticate with an access page.

Lifetime

Use this table to configure authentication lifetimes for users, user groups, and user OUs.

Tips on authentication lifetimes

Authentication lifetimes configured for user names should be placed at the top so they will be evaluated first.

You can change the evaluation order of a lifetime by sliding it up or down. To delete a lifetime click the X in its row.

AuthLifetimes

Adding an authentication lifetime

    • 1. To add an authentication lifetime click Add User. The following pop-up window will be displayed:

add-lifetime-popup

  • 2. Enter the following information:
    • Type – Select the authentication type for the user from the dropdown list, which can be User Group, User Name, or User OU
    • Authentication Source – Select the authentication source from the dropdown list
    • Use the search box to locate and select the user, user OU, or user group
    • Name – Enter the User Name, User OU, or User Group
    • Description – Enter a meaningful description
    • Authentication Lifetime – Enter the authentication expiration period in minutes, up to a maximum value of 7200 minutes (five days)
  • 3. Click Save to save your changes or Cancel to discard them

Source Exemptions

Use these tables to enter IP addresses that are exempt from authentication.

Note:

Please note authentication exemptions do not apply to captive portal discovery URLs. Therefore, if the Capture discovery URLs option is enabled clients will be redirected to an authentication page if and when they try to hit one of the discovery URLs, even if the client’s IP is in the Exemptions list.

Tips for Exemptions

Source Exemptions are only applied to the “Require users to authenticate before web browsing” option in the Access table above and NOT the “Allow Users to authenticate from the access page when blocked” option.

To delete an exemption, move the mouse cursor over the right side of the exemptions list until an X appears. Click the X to remove the IP address or range from the list.

AuthExemption1

Adding an Exemption

    • 1. Click Add Exemption. The following pop-up window will be displayed:

add-exemption-popup

  • 2. Enter the following information:
    • IP Range/Mask – You can allow specific IP addresses or ranges to access the Internet without authenticating. Add the starting IP and the ending IP addresses for a range, or add the same address as the start and end address for a single IP. You can enter as many IP addresses as you need. Enter IP addresses in the following format:
192.168.1.0 single IP address
192.168.1.0-192.168.1.254 range of IP addresses
192.168.1.0/24 CIDR notation for same range as above
  • Comment – Enter any comments about this exemption.

Destination Exemptions

Use the Destination Exemptions table to configure external IP addresses or domains where authentication is not required.

AuthExemption2

Follow the steps below to configure a domain to be excluded from authentication.

  • 1. From the dashboard click Web Filter.
  • 2. Click Authentication.
  • 3. Click Add Exemption under Domain Exemptions. The following will be displayed.

AddExemptionPopup

  • 4. Enter the domain or IP address you want to exclude from authentication.
  • 5. Optional. Enter a meaningful description.
  • 6. Check (select) Proxy Auth Exemption if you want this domain exempted from authentication on the Proxy Server module.
  • 7. Check (select) Web Auth Exemption if you want this domain exempted from authentication on the Web Filter module.
  • 8. Click Save.

RADIUS

The Rocket appliance supports RADIUS accounting for user identification, which allows the Rocket to act as an accounting server for an existing RADIUS implementation. You can use the Rocket’s accounting server to pass authentication from wireless access points.

Note:

Only user names and IP addresses are passed to the Rocket accounting server.

Use the RADIUS table to configure the onboard RADIUS accounting server.

radius-table

Shared secret – Enter the RADIUS shared secret to be used for the Rocket RADIUS accounting server. It must be the same shared secret that you configured on your wireless access point.

Click Save to save any changes you make.

Notes:

See the Mobile Devices page to configure the authentication source for the accounting server and see Configuring a RADIUS Accounting Server for steps to configure a RADIUS accounting server.

For servers or computers that do not have users logged in, you need to either create an Authentication Exemption or an Internal Ignore List entry. For an external web server you need to create an External Ignore List entry.