We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

When using LDAP/Active Directory authentication with DC Agents, why does an unauthenticated user sometimes get the policy privileges of a domain user when using the Barracuda Web Filter?

  • Type: Knowledgebase
  • Date changed: 6 years ago

Solution #00004005

 

Scope:
All Barracuda Web Filters, all firmware versions, using LDAP/AD and DC Agent authentication.

Answer:
This issue is usually encountered when the IP address assigned to a domain user’s client is reassigned to a non-domain (guest) user’s client, when the domain user logs out. Since Windows Domain Controllers do not have a mechanism to reliably capture logout events, the Barracuda Web Filter can not detect when the IP address is released. The IP address will only be associated with a new user when the new user who logs into the domain is a valid domain user.


This issue can be addressed using either of the methods described below:

 

Configure your DHCP server to use separate IP pools for guest accounts and domain users.
This method will eliminate sharing of IP addresses between a non-domain user’s client and a domain user’s client. The use of separate IP pools ensures that the user to IP address association is distinct and current every time a domain user logs on.

 

Use NTLM/Kerberos authentication instead of LDAP/Active Directory.
Since NTLM and Kerberos are session based authentication mechanisms, they do not rely on an IP address to distinguish authenticated users. Refer to the following solutions for details on configuring NTLM or Kerberos authentication on your Barracuda Web Filter.

 

Solution #00003975 Kerberos Authentication

Solution #00003296 NTLM Authentication


Use Session Parameters to automatically log LDAP users out of the Barracuda Web Filter.

By automatically logging users out, this will prevent new workstations from picking up IP addresses that have already been authenticated to a domain user. This setting can be found under Users/Groups>Configuration, under Session Parameters. Change the Authentication Session Length to the lease time for your DHCP server, and select Yes for Apply Session parameters to DC Agent/eDirectory logins.

 

Link to This Page:
http://www.barracuda.com/kb?id=50160000000HbDB