Authentication Methods

Authentication Methods

Three methods of deciding which filter profile to use are currently implemented. The following outlines each of them and how they interact.

Note that these three mechanisms are not mutually exclusive: it is perfectly possible for all three methods to be used at the same time. For example, port 8080 can be left as the default for AD authentication while each of 8081-8084 are used for Port based authentication and particular computers are assigned profiles based on their IP address. The actual profile assigned to a user will then depend on the port their browser is assigned (perhaps via a Group Policy in the AD) and which computer they are using.

The order in which the various authentication mechanisms are applied is the same as the order above. However:

The interaction between AD and Location based authentication is particularly important to understand: the priority of location over AD group has implications for how the locations are set up in each case.

For sites NOT using AD based authentication the use of locations can provide a way to apply a profile to users which depends upon where they are: whether they are, for example, in a particular classroom, the library, or staffroom. Clearly there will be no personal identification of the user in the filter server logs but the combination of Group Policies, Location and Port based filter authentication can be used to provide a good level of control over who gets which profile.

If sites DO use AD based authentication then locations should be used more sparingly: for specific locations where there is no requirement for network login (an open access kiosk in the foyer for example). If they are used too broadly (a "whole-school" location for example) then AD authentication will never be reached as the location will always take precedence.

In general when setting up any of the authentication mechanisms it is best to work by exceptions. In other words when setting up the basic configuration set the defaults first and then gradually add exceptions. For example set the default profile; then add any specific locations required, any port based profiles required or assign filter profiles to AD groups.