A user logs in locally and gets a DHCP IP having access rights from another user that was using the same DHCP IP.


<< Back to Knowledge Search

Solution

Overview

In some cases a user who logs in locally to a workstation and who is not supposed to have access to any websites through the ProxySG may sometimes have access to the websites even though the ProxySG policy says otherwise. This is because the user workstation is using a DHCP IP that was previously used by another user who had access rights to browse the websites.

This situation can occur in a Windows SSO environment (using Domain Controller Query).

Cause
Resolution

This is issue is caused by the settings in the sso.ini file below:

****************************************************************************
[DCQSetup]

; The number of seconds that a logon, found by querying the domain
; controller, should be considered valid. By default logons are
; valid until another user logons at the same IP address.

; Make logons valid for one day
; ValidTTL=86400

****************************************************************************

This setting is actually saying that a valid logon by default will be valid for one day or 24 hours.

Assuming User A is the user who logged in to a domain and who has rights to access the websites.
User B is the user who logged in locally (not to a domain) to the workstation and who is not supposed to have rights to access the websites.

In the scenario below:

1. User A logs in to a domain and browses a website as usual. Then he logs off.
2. User A DHCP IP expires.
3. User B logs in locally (not to a domain) to a workstation and the workstation gets a DHCP IP that was previously owned by User A workstation.
4. The above happened within one day or 24 hours.

This has allowed User B to browse the website even though he is not supposed to.

When User B tries to browse the Internet through the ProxySG, the ProxySG sends the client IP to the BCAAA agent server. BCAAA then responds that the IP is in the 'Ip-to-User' table (since this IP is still valid) and informs the ProxySG that the IP mapped to User A. Because  User A has access to the website based on the ProxySG policy. Neither the ProxySG or BCAAA are aware of User B's username because he logged in locally.
 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4255
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Topic      Authentication, BCAAA
Article Number      000007969
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat