Category: Technical Guide

Download PDF

Central to Family Zone School Manager (Linewize) is user authentication and identification. Identification facilitates flexible identity specific filtering and reporting and is crucial for network management in modern learning.
 
This guide introduces the concept of Authentication and Identity Management and describes the concepts and pitfalls of deploying Authentication in your network
Share this content:
    

Overview

When a user connects to the network they are normally unidentified. This means their browsing cannot be filtered specifically and reporting can only be based on device heuristics. Authentication is the process of identifying the users on your network.

Once identifed, this user information can be used to correctly filter traffic and provide in-depth reporting on individual internet usage.

User identification is becoming even more important in the world of internet enabled devices and BYOD. Correct user identifcation enables accurate and individualized filtering across all internet enabled devices and helps facilitate BYOD in a learning environment.

 

User Identity - TWP_Authentication.png

 

The first step in Authentication and Identity Management is deciding how you are going to identify various different users and different devices. Modern networks contain a wide range of different devices and operating systems and it is paramount that you provide a painless authentication method for your users. Linewize recommends that you take a hybrid approach to authentication, making use of several different Authentication methods for your different user groups and device types.

Considerations

When deploying Authentication on your network, there are several key points to consider to ensure that the process is pain free and accurate. These considerations will help you to create a hybrid authentication plan that best suites your network and environment.

  • What kind of devices are your users connecting with; iPhones, Chromebooks, Windows Laptops?
  • How are they connecting to the network?
  • Is your network segmented into VLANS?
  • What age groups are using devices?
  • Do you have a well defined group structure?
  • What directory services are available on the network?

Once you have considered the points above, you can formulate a hybrid authentication plan. Family Zone School Manager supports many different Authentication methods and a hybrid Authentication plan consists of several of these methods.

 

An example Hybrid Authentication Plan:

Type of Device

Authentication Method

User Experience

Domain Joined Staff Laptop

WMI Kerberos Domain Controller Events

User logs into laptop with domain account and is authenticated  automatically

Domain Joined Lab Computer

WMI Kerberos Domain Controller Events

User logs into laptop with domain account and is authenticated  automatically

BYOD IPhone

One-off Captive Portal Login

User logs into the network via a captive portal then saves their device permanently

Shared Google Chromebook

Chrome Extension

The Chrome extension identifes user on a chrome login and automatically authenticates.

Guest Laptop

Captive Portal Guest Login

Guest gets a pass from Reception then logs in via the Guest Captive Portal

 

Once you have put together a plan for Authentication, its time to look at the implementation details of that plan. Family Zone recommends that you take a gradual approach to avoid user frustration and educate your users on what to expect in advance.

 

The User Session

The basis for Authentication and Identity Management with School Manager is the User Session. When a user connects to the network, they login, then a user session is created and from that point onwards the users network usage is mapped to their identity.

A user session is a mapping between a user identity and a individual network device. Normally this relationship is a mapping between Mac Address, IP Address and User.

 

Example Session Table:

Username

Mac Address

IP Address

Login Time

State

jack.sparrow

a1:f3:d1:a1:b2:c9

192.168.1.88

10:02AM

ACTIVE

jim.baggons

a7:f4:d2:a1:b2:dd

192.168.7.2

11:03AM

ACTIVE

michael.jackson

a2:c4:a2:a7:b1:a2

192.168.1.5

08:01 AM

INACTIVE

 

User sessions are created by Authentication Providers when a user signs in and have a finite lifetime. School Manager supports many different providers like Captive Portal, 802.1x Radius, Windows Domain Controller logins and Permanent Associations. These providers are discussed in more detail in the following sections, but its important to keep in mind that different providers can be used in tandem with each other. This concept provides the basis for a Hybrid approach to Authentication.

Login Providers

As previously mentioned, School Manager supports many different methods of Authentication

This section explains the different methods of authentication and how they are integrated.

  • Captive Portal Login
  • Domain Controller Authentication
  • NPS Radius Authentication
  • 802.1x Radius Authentication
  • Chrome Extension
  • Permanent Associations

Captive Portal Login

A captive portal is what a user sees when they first associate with a Wi-Fi SSID or join the network and open a web browser to surf the Internet. When a captive portal is configured, all Internet traffic will be re-directed to a particular URL and a user is required to login before they are allowed to pass through to the Internet.

 

Captive Portal Authentication-TWP Authenticating.png

 

As the base authentication mechanism, School Manager provides a secure captive portal hosted in our cloud environment.

When deploying the captive portal, there are several things to keep in mind:

  • Access to HTTPS sites will be disabled while the user is not authenticated.
  • Sessions are only temporary and will timeout after a period of inactivity.
  • Servers, printers and internet enabled devices may need access without login.

School Manager supports the use of different captive portals for different subnets or VLANs. If your network is segmented into logical VLANs we recommend creating different captive portals for each segment. This segmentation allows you to customise timeouts, enable or disable user driven permanent associations, exceptions and also login the method.

Example Captive Portal Configurations:

Portal Name

Network

Login Method

Permanent

Timeouts

Student BYOD

192.168.1.1-192.168.1.254

LDAP Credentials

YES

--

Lab Computers

192.168.10.1-192.168.20.254

LDAP Credentials

NO

10 Minutes Idle

Guest Network

172.16.1.1-172.16.1.254

Guest Token

NO

1 Day Lifetime

Servers

10.7.1.1-10.7.1.255

Not required

--

--

 

Deploying specific captive portals gives you a degree of flexibility and eases pain for your users.

There are several different authentication backends that can be configured for login to the captive portal. Integrating with these providers is remarkably simple and the group membership and information that these providers supplies becomes part of the user identity and is used in filtering rules.

 

SSO Provider

Authentication Mechanism

LDAP or Active Directory

Users must enter a username and password that is checked with the LDAP server

Google OAuth

Users are redirected to the Google authentication servers and asked to approve the login

Azure AD

Users are redirected to the Office365/AzureAD servers and asked to login and approve the login

Guest Token

Users enter a guest token that has been created previously in the Linewize Cloud

Local UserDb

Users are asked to login with username and password


Different methods can be configured and used in different portals and thus different VLANS and networks.

To help facilitate logins via the captive portal, there are several magic urls that can be bookmarked and shared to forcibly trigger the login and logout process.

Link

Description

http://login.linewize.net

Present the user with the option to login/logout and logout of Google.

http://autologin.linewize.net

Open the relevant captive portal for that network and prompt the user to login.

http://autologout.linewize.net

Trigger a manual logout. This can only be used if the user session has originated from the captive portal.


On shared machines these links can be deployed to open on startup to assist in ensuring the correct user is authenticated on the device.

Exceptions and Exclusions

Devices and Applications or Websites can be configured to be exempt from any required authentication. This is useful for accessing resources that you want accessible without any hindrance (such as the school’s website) or for special purpose devices that need to access the internet but cannot provide the user interaction to login to the captive portal (such as printers or cameras). 

Permanent Associations

Permanent associations are discussed in more detail later on in this document, but its worth noting here that a Captive Portal can be configured to allow users to “save their device” permanently. This removes the need for future login attempts and makes users experience a lot more streamlined

 

Active Directory WMI Domain Login

School Manager offers automatic authentication for Domain joined machines. This solution provides seamless automatic login for Windows Desktops, Terminal Server Clients and Apple OSX computers that are joined to the domain.

Once configured the Family Zone appliance will poll your Windows Domain Controllers every few seconds for Kerberos login events via the WMI API. This is the simplest method of authentication because it requires no intervention from the user and is transparent and seamless.

 

 

 

Domain Logins -TWP _authenticating.png

 

Users will login to their domain joined PC and are instantly authenticated. Unlike other solutions, Family Zone School Manager does not require that an agent be installed on the Domain Controller, rather it requires an account on your domain and will then poll the DC remotely. The only downside of AD WMI login is that it does not normally extend to BYOD devices and so in a BYOD environment a hybrid approach with a Radius 802.1x or a captive portal login for BYOD users is almost always required.

 

When deploying AD WMI integration its important to keep the following in mind:

  • On large networks it is common practise to have several domain controllers. Ensure that each domain controller is configured.
  • Terminal servers need to be configured for multiple IP addresses based on sessions.
  • In most cases you will also need to configure the LDAP directory service in Family Zone School Manager as well.

Active Directory WMI Login is by far the least intrusive authentication method. Where possible we recommend it be used as the primary login method.

 

NPS Radius Authentication

Similar in concept to the Active Directory WMI logins, School Manager's 802.1x support hooks into the WMI API of your Microsoft NPS server and identifies users using 802.1x Wireless Authentication.

802.1x is an Authentication Protocol widely used on wireless networks today. It offers secure and very flexible username and password based login for networks. Prior to 802.1x, access to wireless networks was normally reliant on a shared key. This new approach extends the notion of single sign on to wireless and enables profile based layer 2 connectivity.

Because users signing onto a 802.1x wireless network are identified by their LDAP credentials  Family Zone School manager is able to utilise this information and provide automatic touchless authentication.

Keep in mind:

One caveat with NPS integration for 802.1x is that the security event provided by the NPS WMI events do not contain the IP address of the client device. If traffic is routed before our appliance we will not be able to correctly identify the client device and the login events will fail.

 

802.1x Radius Accounting Proxy

School Manager can also be configured as a radius accounting endpoint for wireless networks using 802.1x authentication. Normally configured on your wireless controller, School Manager intercepts the radius accounting events when users login to the wireless network and they are automatically signed in with School Manager.

 

Radius Proxy-TWP Authen.png

 

This is very similar to the NPS Radius Authentication, with a couple of key differences. Wheras NPS Radius authentication is tied to the Microsoft Network Policy Server, Microsofts standard radius implementation, the accounting proxy can be configured to work with any radius server. The Radius Accounting endpoint also supports authentication based on the client ip address through the use of the Framed-IP parameter passed in accounting events from most wireless controllers.

 

Chrome Extension

Chromebooks offer a unique challenge for agentless authentication. In a school environment Chromebooks are commonly shared between users so a normal approach of 1 off captive portal based login or wireless authentication is not suitable.

Luckily Chromebooks are built with an identity in mind. Users sign in to the chrome book with their Google account and are automatically logged into googles array of applications.

The School Manager Chrome extension builds on this sign in process and automatically notifies the Family Zone appliance when a user has signed in. This removes the need for the captive portal on Chromebooks and ensures that the correct user is always authenticated with School Manager.

The School Manager Chrome extension can be deployed automatically to all users in your Google Apps Domain.

-- Details on this process can be found on our Wiki

 

Directory Services

Directory services are services like Active Directory that provide information on users like first name, last name and groups and membership.

 

Provider

Method

Active Directory

LDAPv3

OpenLDAP

LDAPv3

Novell eDirectory

LDAPv3

Google Apps

Google Rest API

Azure AD/Office 365

Azure AD Rest API

Local DB

--

 

The Family Zone appliance will sync with the a directory provider and retrieve all user and group information. This information is then tied to a users identitiy when they login. School Manager supports several different directory services, but we only recommend using one at a time.

Once configured a directory service is queried on a daily basis for new groups and updated user information. This ensures that changes in the directory service are quickly reflected in Linewize. A manual sync can also be triggered from the cloud dashboard.

 

Timeouts

User sessions are only temporary and will eventually timeout. Without a timeout, users could be associated with a device incorrectly and security would be compromised. The tradeoff with timeouts is that users may frequently have to sign in if not using an automatic authentication mechanism. This sign in process disrupts network access and is intrusive.

School Manager offers two solutions to this problem. Where BYOD devices are in use, we offer permanent associations, and for shared devices session timeouts can be configured in varying different ways.

 

Custom Session Timeouts

Administrators can also configure different timeouts for different user groups and VLAN’s. This as illustrated below facilitates appropriate timeouts for shared and individual devices. 

There are three different types of timeouts.

  • Session Idle Timeout. The idle timeout is default and invoked after a certain period of inactivity.
  • Session Elapsed Timeout. The Elapsed timeout is hit when a session has existed for a certain period of time.
  • Absolute Timeout. The absolute timeout is invoked for all sessions regardless of activity or state at a certain time.

Permanent Associations

Permanent associations are a permanent mapping between a MAC address and user identity. For networks with BYOD devices it is perfect.

When a permanent association is created either from the School Manager cloud management interface or after a user signs in a mapping is created on the appliance. This mapping is then crosschecked against new devices that appear on the network. When a device matching the MAC address stored in the permanent association joins the network a new session is created. This bypasses all other authentication mechanisms.

For devices that are shared as part of pods or carts, like ipads, permanent associations can be bulk imported in CSV form into the cloud dashboard.

 

Get the PDF version of this Technical Guide
Share this content:
Download PDF
    
As Recognised By