How is guest authentication configured? How are non-domain workstations allowed access to the Internet while authenticating domain computers? The ProxySG appliance has transparent authentication configured for users who authenticate to the Windows Active Directory. When a user who does not have rights on the domain visits the office, it is desirable to provide them with access to Internet resources without configuring a user account for them on the domain.
When setting up guest Authentication policy there are a couple of things that will need to be determined:
When guest access is permitted. In most cases, guests are only allowed if it does not require them to be authenticated.
Will the realms attempt to authenticate users first and fall back to guest authentication, or authenticate users as guest users without attempting authentication?
Configure a second Web Authentication Layer (using step 3 above as a template), labeled 'Guest authentication' and configure a rule in this layer as follows:
DO NOT define an authentication mode here. Doing so will cause policy not to install.
Define a guest userid. This is how user requests that match this policy will appear in access logs. This guest account does not have any correlation to accounts configured in the Windows Active Directory.
Set the Action in this rule to an 'Authenticate Guest Object', with the IWA realm set in the Guest Realm config portion.
Set the Source to 'Any User Authentication Errors'.
Ensure policy ordering matches with policy best practices. With regard to these two authentication layers, position the Web authentication layer first and then to its right, the guest authentication layer.
** As a further recommendation, web access layer rules can be defined with a source of 'guest user'. This can allow a proxy administrator to craft rules to define where a guest user is permitted to go, while still permitting standard levels of access for all authenticated users.
Note: If a transaction matches both a regular authentication action and guest authentication action, the appliance attempts regular authentication first. This can result in a user challenge before failing over to guest authentication. If a user enters invalid credentials and is thus allowed guest access, they must log out as guest or close and reopen the browser if using session cookies or connection surrogates. They can then enter the correct credentials to obtain regular access.