Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Hit and miss in captive portal!
  •  
wiki

Messages: 7
Karma: 0
Send a private message to this user
Kerio Control v9.0.2

I've enabled the Always require users to be authenticated when accessing web pages so that all users forced to be authenticated and for 98% of the times it works just fine; If I restart the kerio server or the users pass the inactivity timeout (and therefore automatically logout), as soon as accessing any webpage the authentication page appears and everything is fine;

But sometimes, for some users (randomly), the authentication page won't appear and they are granted access to the web without being authenticated in the first place! time goes and after 10 or more minutes of free web surfing(!), suddenly the authentication page appears for them!

Is this a bug or I'm missing something here?

Some notes:
The server has Core-i5 CPU with 2GB of ram, 30GB storage, 100MB Ethernet port and 12 users with moderate usage of Internet (Basically a small office)

[Updated on: Thu, 02 June 2016 07:27]

  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
Check the active hosts. All devices are listed there. Locate the device which is not authenticated (by IP or hostname). Check if there in fact is an authenticated user. Check to see if the pages you are visiting are appearing in the activity for that host. Perhaps those pages are cached on the client computer, or maybe they are using an Internet proxy that is bypassing the HTTP/HTTPS ports, or maybe they are connecting to the Internet though a different gateway.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
wiki

Messages: 7
Karma: 0
Send a private message to this user
I checked it and found out that the user can surf web freely without being authenticated if the website uses https protocol!!! this behavior also occurs if the user uses filter circumvention applications (freegate, hotspot shield, ...)!!!

It's a big and serious flaw! other competing solutions such as pfsense (I checked it to be sure) won't allow traffic of any kind to pass unless the user is authenticated.
  •  
Petr Dobry (Kerio)

Messages: 772
Karma: 60
Send a private message to this user
You can change your NAT traffic rule to have Authenticated users as a source. That way no connection will be possible until user authenticates via firewall login page first.

It has been discussed several times in this forum:
http://forums.kerio.com/t/29088/https-sites-open-without-aut hentication
http://forums.kerio.com/t/6585/

./fa/4312/0/

[Updated on: Thu, 02 June 2016 20:00]


Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
By default Kerio Control allows HTTPS connections when you have the authentication enabled because it is not able to redirect the user to the authentication interface. You can choose to block either HTTPS sites or all network traffic until the user is not authenticated. There are instructions in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-traffic-rules-1312.html#sect-usersinrules
Alternatively, you might consider RADIUS authentication as this method requires users to authenticate immediately when joining the network. http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/using-radius-server-in-kerio-control-1648.h tml

[Updated on: Thu, 02 June 2016 20:18]


Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
wiki

Messages: 7
Karma: 0
Send a private message to this user
I applied what you've suggested and now users should be authenticated first to access to the internet but redirection to login page is disabled now, even for http sites and users have to manually enter the login page address in their browsers to login page show up. What about that?

  • Attachment: Untitled.png
    (Size: 57.70KB, Downloaded 52 times)

[Updated on: Fri, 03 June 2016 10:48]

  •  
Petr Dobry (Kerio)

Messages: 772
Karma: 60
Send a private message to this user
Create new rule:
Source: Trusted Interfaces
Destination: Internet interfaces
Service: HTTP,HTTPS
Translation: NAT

This will allow unauthenticated users access to HTTP/HTTPS and they will be redirected by content filter to authenticate.

Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
  •  
wiki

Messages: 7
Karma: 0
Send a private message to this user
I did what you've suggest, sorry, but, we are now backed to the first place! now https web surfing is free again without being authenticated
  •  
Petr Dobry (Kerio)

Messages: 772
Karma: 60
Send a private message to this user
Remove HTTPS from that rule then.
Redirect will work only on HTTP.

Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
  •  
wiki

Messages: 7
Karma: 0
Send a private message to this user
Now it's working; Thanks for your patience and helpful comments.
Previous Topic: VPN tunnel broken when opening RDP-Client
Next Topic: FTP Subfolders
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Dec 06 18:48:53 CET 2016

Total time taken to generate the page: 0.01606 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.